File name:

GOG_Galaxy_2.0.exe

Full analysis: https://app.any.run/tasks/db9cd33a-30c0-43bb-8a59-126cdc65b354
Verdict: Malicious activity
Analysis date: April 13, 2025, 20:54:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
delphi
inno
installer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

17A51AB51172E64A7A0A95A269402452

SHA1:

A8A489EB9D2184AC4A7D6E3A958595CA70DB53DF

SHA256:

9248E28C33A136B287A29724DA6BC7144CB0F8A965775AFA4E19AC525CE2D964

SSDEEP:

49152:O+S91vvcQhQbFuPnUqWozGnjLfB4h+fsnOYAWnrqklR:w91sfMPU/vZtUxnrq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • VC_redist.x86.exe (PID: 5036)
      • VC_redist.x64.exe (PID: 1532)
      • GalaxySetup.tmp (PID: 2908)
      • GalaxyClient.exe (PID: 4200)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • GOG_Galaxy_2.0.exe (PID: 4108)
      • GalaxyInstaller.exe (PID: 5960)
      • GalaxySetup.tmp (PID: 2984)
      • VC_redist.x86.exe (PID: 4284)
      • VC_redist.x86.exe (PID: 7000)
      • VC_redist.x64.exe (PID: 5680)
      • VC_redist.x64.exe (PID: 4896)
      • GalaxySetup.tmp (PID: 2908)
      • GalaxyClient.exe (PID: 4200)
      • GalaxyClient.exe (PID: 3768)
      • GalaxyClient.exe (PID: 5044)

    • Reads the date of Windows installation

      • GalaxyInstaller.exe (PID: 5960)

    • Executable content was dropped or overwritten

      • GalaxySetup.exe (PID: 5360)
      • GalaxySetup.exe (PID: 6872)
      • GalaxySetup.tmp (PID: 2908)
      • VC_redist.x86.exe (PID: 1600)
      • VC_redist.x86.exe (PID: 4284)
      • VC_redist.x86.exe (PID: 5036)
      • VC_redist.x86.exe (PID: 7000)
      • VC_redist.x86.exe (PID: 4464)
      • VC_redist.x64.exe (PID: 5680)
      • VC_redist.x64.exe (PID: 6476)
      • VC_redist.x64.exe (PID: 1532)
      • VC_redist.x64.exe (PID: 4896)
      • VC_redist.x64.exe (PID: 5384)

    • Reads the Windows owner or organization settings

      • GalaxySetup.tmp (PID: 2908)
      • msiexec.exe (PID: 5956)

    • Process drops legitimate windows executable

      • GalaxySetup.tmp (PID: 2908)
      • VC_redist.x86.exe (PID: 4284)
      • VC_redist.x86.exe (PID: 1600)
      • VC_redist.x86.exe (PID: 5036)
      • msiexec.exe (PID: 5956)
      • VC_redist.x64.exe (PID: 5680)
      • VC_redist.x86.exe (PID: 4464)
      • VC_redist.x64.exe (PID: 6476)
      • VC_redist.x64.exe (PID: 1532)
      • VC_redist.x64.exe (PID: 5384)

    • Process drops python dynamic module

      • GalaxySetup.tmp (PID: 2908)

    • The process drops C-runtime libraries

      • GalaxySetup.tmp (PID: 2908)
      • msiexec.exe (PID: 5956)

    • Starts a Microsoft application from unusual location

      • VC_redist.x86.exe (PID: 1600)
      • VC_redist.x86.exe (PID: 4284)
      • VC_redist.x86.exe (PID: 5036)
      • VC_redist.x64.exe (PID: 5680)
      • VC_redist.x64.exe (PID: 6476)
      • VC_redist.x64.exe (PID: 1532)

    • Starts itself from another location

      • VC_redist.x86.exe (PID: 4284)
      • VC_redist.x64.exe (PID: 5680)

    • Searches for installed software

      • VC_redist.x86.exe (PID: 4284)
      • dllhost.exe (PID: 6488)
      • VC_redist.x86.exe (PID: 7000)
      • VC_redist.x86.exe (PID: 4464)
      • VC_redist.x64.exe (PID: 5680)
      • VC_redist.x64.exe (PID: 1532)
      • VC_redist.x64.exe (PID: 5384)
      • VC_redist.x64.exe (PID: 4896)

    • Executes as Windows Service

      • VSSVC.exe (PID: 960)

    • Creates a software uninstall entry

      • VC_redist.x86.exe (PID: 5036)
      • VC_redist.x64.exe (PID: 1532)

    • Application launched itself

      • VC_redist.x86.exe (PID: 5048)
      • VC_redist.x86.exe (PID: 7000)
      • VC_redist.x64.exe (PID: 2288)
      • VC_redist.x64.exe (PID: 4896)

    • The process checks if it is being run in the virtual environment

      • msiexec.exe (PID: 5956)

  • INFO

    • Creates files in the program directory

      • GOG_Galaxy_2.0.exe (PID: 4108)
      • GalaxyInstaller.exe (PID: 5960)
      • GalaxySetup.tmp (PID: 2908)
      • VC_redist.x86.exe (PID: 5036)
      • VC_redist.x64.exe (PID: 1532)
      • GalaxyClient.exe (PID: 3768)
      • GalaxyClient.exe (PID: 4200)

    • Creates files or folders in the user directory

      • GOG_Galaxy_2.0.exe (PID: 4108)
      • msiexec.exe (PID: 5956)
      • GalaxyClient.exe (PID: 4200)

    • Reads the machine GUID from the registry

      • GOG_Galaxy_2.0.exe (PID: 4108)
      • GalaxyInstaller.exe (PID: 5960)
      • msiexec.exe (PID: 5956)
      • VC_redist.x86.exe (PID: 5036)
      • VC_redist.x64.exe (PID: 1532)
      • GalaxyClient.exe (PID: 4200)
      • GalaxyClient.exe (PID: 3768)
      • GalaxyClient.exe (PID: 5044)

    • Checks supported languages

      • GOG_Galaxy_2.0.exe (PID: 4108)
      • GalaxyInstaller.exe (PID: 5960)
      • GalaxySetup.exe (PID: 5360)
      • GalaxySetup.tmp (PID: 2984)
      • GalaxySetup.exe (PID: 6872)
      • VC_redist.x86.exe (PID: 1600)
      • GalaxySetup.tmp (PID: 2908)
      • VC_redist.x86.exe (PID: 5036)
      • VC_redist.x86.exe (PID: 4284)
      • msiexec.exe (PID: 5956)
      • VC_redist.x86.exe (PID: 5048)
      • VC_redist.x86.exe (PID: 7000)
      • VC_redist.x86.exe (PID: 4464)
      • VC_redist.x64.exe (PID: 5680)
      • VC_redist.x64.exe (PID: 6476)
      • VC_redist.x64.exe (PID: 2288)
      • VC_redist.x64.exe (PID: 1532)
      • VC_redist.x64.exe (PID: 4896)
      • VC_redist.x64.exe (PID: 5384)
      • GalaxyClient.exe (PID: 4200)
      • GalaxyClient.exe (PID: 3768)
      • GalaxyClient.exe (PID: 5044)

    • Reads the computer name

      • GOG_Galaxy_2.0.exe (PID: 4108)
      • GalaxyInstaller.exe (PID: 5960)
      • GalaxySetup.tmp (PID: 2984)
      • GalaxySetup.tmp (PID: 2908)
      • VC_redist.x86.exe (PID: 5036)
      • VC_redist.x86.exe (PID: 4284)
      • msiexec.exe (PID: 5956)
      • VC_redist.x86.exe (PID: 7000)
      • VC_redist.x86.exe (PID: 4464)
      • VC_redist.x64.exe (PID: 5680)
      • VC_redist.x64.exe (PID: 4896)
      • VC_redist.x64.exe (PID: 1532)
      • VC_redist.x64.exe (PID: 5384)
      • GalaxyClient.exe (PID: 4200)
      • GalaxyClient.exe (PID: 3768)
      • GalaxyClient.exe (PID: 5044)

    • Process checks computer location settings

      • GOG_Galaxy_2.0.exe (PID: 4108)
      • GalaxyInstaller.exe (PID: 5960)
      • GalaxySetup.tmp (PID: 2984)
      • VC_redist.x86.exe (PID: 4284)
      • VC_redist.x86.exe (PID: 7000)
      • VC_redist.x64.exe (PID: 5680)
      • VC_redist.x64.exe (PID: 4896)
      • GalaxySetup.tmp (PID: 2908)

    • Reads the software policy settings

      • GOG_Galaxy_2.0.exe (PID: 4108)
      • GalaxyInstaller.exe (PID: 5960)
      • slui.exe (PID: 1180)
      • slui.exe (PID: 5260)
      • msiexec.exe (PID: 5956)
      • GalaxyClient.exe (PID: 4200)
      • GalaxyClient.exe (PID: 3768)
      • GalaxyClient.exe (PID: 5044)

    • Checks proxy server information

      • GOG_Galaxy_2.0.exe (PID: 4108)
      • GalaxyInstaller.exe (PID: 5960)
      • slui.exe (PID: 5260)

    • Create files in a temporary directory

      • GOG_Galaxy_2.0.exe (PID: 4108)
      • GalaxyInstaller.exe (PID: 5960)
      • GalaxySetup.exe (PID: 5360)
      • GalaxySetup.exe (PID: 6872)
      • GalaxySetup.tmp (PID: 2908)
      • VC_redist.x86.exe (PID: 4284)
      • VC_redist.x86.exe (PID: 5036)
      • VC_redist.x86.exe (PID: 7000)
      • VC_redist.x64.exe (PID: 5680)
      • VC_redist.x64.exe (PID: 1532)
      • VC_redist.x64.exe (PID: 4896)

    • Disables trace logs

      • GalaxyInstaller.exe (PID: 5960)

    • Reads product name

      • GalaxyInstaller.exe (PID: 5960)

    • Reads Environment values

      • GalaxyInstaller.exe (PID: 5960)

    • UPX packer has been detected

      • GOG_Galaxy_2.0.exe (PID: 4108)

    • The sample compiled with russian language support

      • GalaxySetup.tmp (PID: 2908)

    • Detects InnoSetup installer (YARA)

      • GalaxySetup.exe (PID: 5360)
      • GalaxySetup.exe (PID: 6872)
      • GalaxySetup.tmp (PID: 2984)
      • GalaxySetup.tmp (PID: 2908)

    • Compiled with Borland Delphi (YARA)

      • GalaxySetup.tmp (PID: 2908)
      • GalaxySetup.tmp (PID: 2984)
      • GalaxySetup.exe (PID: 6872)
      • GalaxySetup.exe (PID: 5360)

    • Manual execution by a user

      • mspaint.exe (PID: 6032)

    • The sample compiled with english language support

      • GalaxySetup.tmp (PID: 2908)
      • VC_redist.x86.exe (PID: 4284)
      • VC_redist.x86.exe (PID: 1600)
      • VC_redist.x86.exe (PID: 5036)
      • msiexec.exe (PID: 5956)
      • VC_redist.x86.exe (PID: 7000)
      • VC_redist.x64.exe (PID: 5680)
      • VC_redist.x86.exe (PID: 4464)
      • VC_redist.x64.exe (PID: 6476)
      • VC_redist.x64.exe (PID: 1532)
      • VC_redist.x64.exe (PID: 4896)
      • VC_redist.x64.exe (PID: 5384)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5956)

    • Manages system restore points

      • SrTasks.exe (PID: 5352)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5956)
      • GalaxySetup.tmp (PID: 2908)

    • Process checks whether UAC notifications are on

      • GalaxyClient.exe (PID: 4200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:03:12 14:54:18+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 471040
InitializedDataSize: 499712
UninitializedDataSize: 1388544
EntryPoint: 0x1c62e0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.2
ProductVersionNumber: 2.0.0.2
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: GOG Sp. z o.o.
FileDescription: GOG Galaxy Webinstaller
FileVersion: 2.0.0.2
LegalCopyright: (C) GOG Sp. z o.o. 2020
InternalName: GOG Galaxy Webinstaller.exe
ProductName: GOG Galaxy Webinstaller
ProductVersion: 2.0.0.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
170
Monitored processes
31
Malicious processes
13
Suspicious processes
3

Behavior graph

Click at the process to see the details
start gog_galaxy_2.0.exe galaxyinstaller.exe sppextcomobj.exe no specs slui.exe galaxysetup.exe slui.exe galaxysetup.tmp no specs galaxysetup.exe galaxysetup.tmp mspaint.exe no specs vc_redist.x86.exe vc_redist.x86.exe vc_redist.x86.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe vc_redist.x86.exe no specs vc_redist.x86.exe vc_redist.x86.exe vc_redist.x64.exe vc_redist.x64.exe vc_redist.x64.exe SPPSurrogate no specs vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe galaxyclient.exe galaxyclient.exe no specs galaxyclient.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
960C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1328C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
1532"C:\WINDOWS\Temp\{CCF55F09-8778-45A6-B28F-8E3CDB55D950}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{95D341F5-327D-4B46-AB20-BEA5362125F1} {4A6CA9F1-FCAF-448B-8028-716A7358927F} 5680C:\Windows\Temp\{CCF55F09-8778-45A6-B28F-8E3CDB55D950}\.be\VC_redist.x64.exe
VC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.40.33810
Exit code:
3010
Version:
14.40.33810.0
Modules
Images
c:\windows\temp\{ccf55f09-8778-45a6-b28f-8e3cdb55d950}\.be\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1600"C:\Users\admin\AppData\Local\Temp\is-513MU.tmp\VC_redist.x86.exe" /install /quiet /norestartC:\Users\admin\AppData\Local\Temp\is-513MU.tmp\VC_redist.x86.exe
GalaxySetup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.40.33810
Exit code:
0
Version:
14.40.33810.0
Modules
Images
c:\users\admin\appdata\local\temp\is-513mu.tmp\vc_redist.x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2288"C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=1180 -burn.embedded BurnPipe.{49E73A3A-BF3D-4A60-8694-048FA17111C7} {4676AB08-9A1C-4981-8DD2-B73BC16BCAF5} 1532C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeVC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532
Exit code:
0
Version:
14.36.32532.0
Modules
Images
c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2392C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2908"C:\Users\admin\AppData\Local\Temp\is-GTQ33.tmp\GalaxySetup.tmp" /SL5="$9014C,284412419,1268224,C:\Users\admin\AppData\Local\Temp\GalaxyInstaller_aTGsg\GalaxySetup.exe" /SPAWNWND=$902E8 /NOTIFYWND=$902B2 /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvcGwvP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEzNS4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidW5pcXVlX2lkIjoiMTc0NDU0MTE3MS1vR0JPRnl6UG9pUVhIUFl2eHlzL2h3PT0ifSwibG9naW5fcGFyYW1ldGVycyI6Im9yaWdpbj1odHRwJTNBJTJGJTJGZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QlMkZwbCUyRiUzRmVtYmVkZGFibGUlM0R0cnVlJm9yaWdpbl91c2VyX2FnZW50PU1vemlsbGElMkY1LjArJTI4V2luZG93cytOVCsxMC4wJTNCK1dpbjY0JTNCK3g2NCUyOStBcHBsZVdlYktpdCUyRjUzNy4zNislMjhLSFRNTCUyQytsaWtlK0dlY2tvJTI5K0Nocm9tZSUyRjEzNS4wLjAuMCtTYWZhcmklMkY1MzcuMzYmdW5pcXVlX2lkPTE3NDQ1NDExNzEtb0dCT0Z5elBvaVFYSFBZdnh5cyUyRmh3JTNEJTNEIn0="C:\Users\admin\AppData\Local\Temp\is-GTQ33.tmp\GalaxySetup.tmp
GalaxySetup.exe
User:
admin
Company:
GOG.com
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-gtq33.tmp\galaxysetup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
2984"C:\Users\admin\AppData\Local\Temp\is-0NCBI.tmp\GalaxySetup.tmp" /SL5="$902B2,284412419,1268224,C:\Users\admin\AppData\Local\Temp\GalaxyInstaller_aTGsg\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvcGwvP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEzNS4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidW5pcXVlX2lkIjoiMTc0NDU0MTE3MS1vR0JPRnl6UG9pUVhIUFl2eHlzL2h3PT0ifSwibG9naW5fcGFyYW1ldGVycyI6Im9yaWdpbj1odHRwJTNBJTJGJTJGZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QlMkZwbCUyRiUzRmVtYmVkZGFibGUlM0R0cnVlJm9yaWdpbl91c2VyX2FnZW50PU1vemlsbGElMkY1LjArJTI4V2luZG93cytOVCsxMC4wJTNCK1dpbjY0JTNCK3g2NCUyOStBcHBsZVdlYktpdCUyRjUzNy4zNislMjhLSFRNTCUyQytsaWtlK0dlY2tvJTI5K0Nocm9tZSUyRjEzNS4wLjAuMCtTYWZhcmklMkY1MzcuMzYmdW5pcXVlX2lkPTE3NDQ1NDExNzEtb0dCT0Z5elBvaVFYSFBZdnh5cyUyRmh3JTNEJTNEIn0="C:\Users\admin\AppData\Local\Temp\is-0NCBI.tmp\GalaxySetup.tmpGalaxySetup.exe
User:
admin
Company:
GOG.com
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-0ncbi.tmp\galaxysetup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
3768"C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe" /clientLanguage=en-USC:\Program Files (x86)\GOG Galaxy\GalaxyClient.exeGalaxySetup.tmp
User:
admin
Company:
GOG.com
Integrity Level:
MEDIUM
Description:
GOG Galaxy
Exit code:
4294967249
Version:
2.0.83.4
Modules
Images
c:\program files (x86)\gog galaxy\galaxyclient.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
36 961
Read events
35 199
Write events
1 139
Delete events
623

Modification events

(PID) Process:(4108) GOG_Galaxy_2.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4108) GOG_Galaxy_2.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4108) GOG_Galaxy_2.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5960) GalaxyInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5960) GalaxyInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5960) GalaxyInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5960) GalaxyInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5960) GalaxyInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5960) GalaxyInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5960) GalaxyInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
475
Suspicious files
466
Text files
1 379
Unknown types
0

Dropped files

PID
Process
Filename
Type
5960GalaxyInstaller.exeC:\Users\admin\AppData\Local\Temp\GalaxyInstaller_aTGsg\GalaxySetup.exe
MD5:
SHA256:
4108GOG_Galaxy_2.0.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419binary
MD5:4904463CFA2C89B2BDC5B28696BFEA9C
SHA256:E3DE6C5793D2073F410DF416F813057651AB36921692BFC8961CE521378B0D3D
4108GOG_Galaxy_2.0.exeC:\Users\admin\AppData\Local\Temp\GalaxyInstaller_aTGsg\payload.campaignbinary
MD5:15C1743687D0B89EA13E7ADA66391234
SHA256:05D5D013ACB3BC26B4F8A6C9E349088A3AF55481DFADE2D455A68D336C2A0696
4108GOG_Galaxy_2.0.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419binary
MD5:05BB052A37119D7F8EE19078F4B611D0
SHA256:A791BEDC779E12D06B5511AE621A0E3962FB15D042C26A0D92637376DB384DCE
4108GOG_Galaxy_2.0.exeC:\Users\admin\AppData\Local\Temp\GalaxyInstaller_aTGsg\payload.base64text
MD5:8FD0FA11B35F5988EDECB17AF57C505D
SHA256:4BCB71EFF446900803C2510241B5ACB2F70C7DC04C01FAA87483EA9DBFD55B1B
6872GalaxySetup.exeC:\Users\admin\AppData\Local\Temp\is-GTQ33.tmp\GalaxySetup.tmpexecutable
MD5:A675E14E0480C2F96E45266254299215
SHA256:F8564494B87D73F65391CE2ACF03FF7F010FA6DA0DA342BADA0BEEDCF870C814
5960GalaxyInstaller.exeC:\ProgramData\GOG.com\Galaxy\logs\InstallerWebinstaller.logtext
MD5:60DFC3065B233556505F416F3DFA5FD9
SHA256:9CFFF92C43F08639C146D499C25207C379211634E76A8923C2376B1A151E2455
5360GalaxySetup.exeC:\Users\admin\AppData\Local\Temp\is-0NCBI.tmp\GalaxySetup.tmpexecutable
MD5:A675E14E0480C2F96E45266254299215
SHA256:F8564494B87D73F65391CE2ACF03FF7F010FA6DA0DA342BADA0BEEDCF870C814
2908GalaxySetup.tmpC:\Users\admin\AppData\Local\Temp\is-513MU.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
4108GOG_Galaxy_2.0.exeC:\Users\admin\AppData\Local\Temp\GalaxyInstaller_aTGsg\remoteconfig.jsonbinary
MD5:5AA50E573B9BBDB3C4622955B9678440
SHA256:E94048ECEF019EC22B72140EE60D05DAFEDAD0089652041ADBFF4B9FE16E01F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
35
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.150:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4108
GOG_Galaxy_2.0.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5956
msiexec.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5956
msiexec.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.150:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4108
GOG_Galaxy_2.0.exe
151.101.1.55:443
remote-config.gog.com
FASTLY
US
whitelisted
4108
GOG_Galaxy_2.0.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5960
GalaxyInstaller.exe
151.101.65.55:443
remote-config.gog.com
FASTLY
US
whitelisted
5960
GalaxyInstaller.exe
199.232.197.55:443
gog-cdn-fastly.gog.com
FASTLY
US
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.150
  • 23.48.23.139
  • 23.48.23.158
  • 23.48.23.137
  • 23.48.23.141
  • 23.48.23.159
  • 23.48.23.156
  • 23.48.23.138
  • 23.48.23.194
  • 23.48.23.173
  • 23.48.23.183
  • 23.48.23.176
  • 23.48.23.190
  • 23.48.23.180
  • 23.48.23.166
whitelisted
remote-config.gog.com
  • 151.101.1.55
  • 151.101.193.55
  • 151.101.65.55
  • 151.101.129.55
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
content-system.gog.com
  • 151.101.65.55
  • 151.101.1.55
  • 151.101.193.55
  • 151.101.129.55
whitelisted
gog-cdn-fastly.gog.com
  • 199.232.197.55
  • 199.232.193.55
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.128
  • 20.190.160.64
  • 20.190.160.14
  • 20.190.160.20
  • 20.190.160.17
  • 40.126.32.76
  • 20.190.160.130
  • 20.190.160.3
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

No threats detected
Process
Message
msiexec.exe
Failed to release Service
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GOG_Galaxy_2.0.exe