Malware analysis GOG Galaxy - Game Installer.exe Malicious activity

Add for printing

File name:	GOG Galaxy - Game Installer.exe
Full analysis:	https://app.any.run/tasks/022f719c-797c-40d4-9eb5-4f95250ab623
Verdict:	Malicious activity
Analysis date:	October 08, 2018, 18:54:55
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:	80FF42038E514EDBDC1A915B5C7CC559
SHA1:	3E2FF238048C0C883C734D8CEC62C16AB04897C3
SHA256:	F7702F63AE77C17ACE4C446D15B40A2FA9BA94B786A10A1741A8C1AE6830DD67
SSDEEP:	6144:vGJIL+f2cTrVcRS8LyYSVougxVZ/WlNf2zZzy+vulDCClJGcq3S2N05:uKL+fzrVcR1OuBZ/Wz2gN3Gcq30

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: on
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - vs2015-redist-x64.exe (PID: 1960)
  - GalaxyClient.exe (PID: 1340)
  - GalaxyClient.exe (PID: 1432)
  - GalaxyClient.exe (PID: 2756)
  - GalaxyClient.exe (PID: 1904)
  - GalaxyClient Helper.exe (PID: 1600)
  - GOG Galaxy Notifications Renderer.exe (PID: 2260)
  - GalaxyClientService.exe (PID: 2232)
- Changes the autorun value in the registry
  - GalaxySetup.tmp (PID: 920)
  - GalaxyClient.exe (PID: 1432)
- Application was dropped or rewritten from another process
  - vs2015-redist-x64.exe (PID: 2268)
  - vs2015-redist-x64.exe (PID: 1960)
  - GalaxyClient.exe (PID: 1904)
  - GalaxyClient.exe (PID: 1340)
  - GalaxyClient Helper.exe (PID: 1600)
  - GalaxyClient.exe (PID: 1432)
  - GalaxyClient.exe (PID: 2756)
  - GOG Galaxy Notifications Renderer.exe (PID: 2260)
  - GalaxyClientService.exe (PID: 2232)
SUSPICIOUS
- Reads Windows owner settings
  - GalaxySetup.tmp (PID: 920)
- Reads the Windows organization settings
  - GalaxySetup.tmp (PID: 920)
- Executable content was dropped or overwritten
  - GalaxySetup.exe (PID: 2284)
  - vcredist_x86_2015.exe (PID: 2916)
  - GalaxySetup.tmp (PID: 920)
- Creates files in the program directory
  - GOG Galaxy - Game Installer.exe (PID: 2628)
  - GalaxyInstaller.exe (PID: 3008)
  - GalaxyClient.exe (PID: 1432)
  - GalaxyClientService.exe (PID: 2232)
  - GalaxyClient.exe (PID: 2756)
  - GalaxyClient Helper.exe (PID: 1600)
  - GOG Galaxy Notifications Renderer.exe (PID: 2260)
  - GalaxyClient.exe (PID: 1340)
- Searches for installed software
  - vcredist_x86_2015.exe (PID: 2916)
- Creates files in the Windows directory
  - GalaxySetup.tmp (PID: 920)
- Modifies the open verb of a shell class
  - GalaxyClient.exe (PID: 1340)
- Application launched itself
  - vcredist_x86_2015.exe (PID: 3452)
INFO
- Loads dropped or rewritten executable
  - GalaxySetup.tmp (PID: 920)
  - vcredist_x86_2015.exe (PID: 2916)
- Creates a software uninstall entry
  - GalaxySetup.tmp (PID: 920)
- Application was dropped or rewritten from another process
  - GalaxySetup.tmp (PID: 920)
  - vcredist_x86_2015.exe (PID: 3452)
  - vcredist_x86_2015.exe (PID: 2916)
- Reads settings of System Certificates
  - GalaxyClient.exe (PID: 1340)
- Dropped object may contain Bitcoin addresses
  - GalaxySetup.tmp (PID: 920)
- Creates files in the program directory
  - GalaxySetup.tmp (PID: 920)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	UPX compressed Win32 Executable (64.2)
.dll	\|	Win32 Dynamic Link Library (generic) (15.6)
.exe	\|	Win32 Executable (generic) (10.6)
.exe	\|	Generic Win/DOS Executable (4.7)
.exe	\|	DOS Executable Generic (4.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:10:04 12:55:05+02:00
PEType:	PE32
LinkerVersion:	14
CodeSize:	335872
InitializedDataSize:	94208
UninitializedDataSize:	655360
EntryPoint:	0xf2610
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.1.0.1
ProductVersionNumber:	1.1.0.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	GOG Sp. z o.o.
FileDescription:	GWENT: The Witcher Card Game / PTR
FileVersion:	1.1.0.0
InternalName:	GOG Galaxy - Game Installer.exe
LegalCopyright:	(C) GOG Sp. z o.o. 2018
OriginalFileName:	GOG Galaxy - Game Installer.exe
ProductName:	GWENT: The Witcher Card Game / PTR
ProductVersion:	1.1.0.0
ProductID:	1474713938

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	04-Oct-2018 10:55:05
Detected languages:	English - United States Polish - Poland
CompanyName:	GOG Sp. z o.o.
FileDescription:	GWENT: The Witcher Card Game / PTR
FileVersion:	1.1.0.0
InternalName:	GOG Galaxy - Game Installer.exe
LegalCopyright:	(C) GOG Sp. z o.o. 2018
OriginalFilename:	GOG Galaxy - Game Installer.exe
ProductName:	GWENT: The Witcher Card Game / PTR
ProductVersion:	1.1.0.0
ProductID:	1474713938

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000110

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	3
Time date stamp:	04-Oct-2018 10:55:05
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
UPX0	0x00001000	0x000A0000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0
UPX1	0x000A1000	0x00052000	0x00051A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.92963
.rsrc	0x000F3000	0x00017000	0x00016A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.85124

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.12886	1258	Latin 1 / Western European	English - United States	RT_MANIFEST
2	7.95367	5198	Latin 1 / Western European	Polish - Poland	RT_ICON
3	6.12147	4264	Latin 1 / Western European	Polish - Poland	RT_ICON
4	5.59464	1128	Latin 1 / Western European	Polish - Poland	RT_ICON
7	6.22199	116	Latin 1 / Western European	English - United States	RT_STRING
109	3.40564	16	Latin 1 / Western European	English - United States	RT_ACCELERATOR
129	7.92106	119904	Latin 1 / Western European	Polish - Poland	RT_RCDATA
132	2.41974	62	Latin 1 / Western European	Polish - Poland	RT_GROUP_ICON
133	7.91936	22399	Latin 1 / Western European	Polish - Poland	RT_RCDATA
134	7.83855	6144	Latin 1 / Western European	Polish - Poland	RT_RCDATA

Imports


ADVAPI32.dll
KERNEL32.DLL
SHELL32.dll
SHLWAPI.dll
USER32.dll
urlmon.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

920

"C:\Users\admin\AppData\Local\Temp\is-UQVEM.tmp\GalaxySetup.tmp" /SL5="$D05C2,191333713,274432,C:\Users\admin\AppData\Local\Temp\GalaxyInstaller\GalaxySetup.exe" /lang=en_US /webinstaller /product_id=1474713938 /silent /game_name="GWENT: The Witcher Card Game / PTR"

C:\Users\admin\AppData\Local\Temp\is-UQVEM.tmp\GalaxySetup.tmp

GalaxySetup.exe

User:

admin

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-uqvem.tmp\galaxysetup.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1340

"C:\Program Files\GOG Galaxy\GalaxyClient.exe" /command=installationScreen /gameId=1474713938

C:\Program Files\GOG Galaxy\GalaxyClient.exe

GOG Galaxy - Game Installer.exe

User:

admin

Company:

GOG.com

Integrity Level:

MEDIUM

Description:

GOG Galaxy

Exit code:

Version:

1.2.46.172

Modules

Images
c:\program files\gog galaxy\galaxyclient.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\gog galaxy\libcef.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll

1432

"C:\Program Files\GOG Galaxy\GalaxyClient.exe" /firstRun

C:\Program Files\GOG Galaxy\GalaxyClient.exe

GalaxySetup.tmp

User:

admin

Company:

GOG.com

Integrity Level:

HIGH

Description:

GOG Galaxy

Exit code:

Version:

1.2.46.172

Modules

Images
c:\program files\gog galaxy\galaxyclient.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\gog galaxy\libcef.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll

1600

"C:\Program Files\GOG Galaxy\GalaxyClient Helper.exe" --type=renderer --enable-smooth-scrolling --js-flags=--expose-gc --no-sandbox --service-pipe-token=E183CAEEC51DA963B8D101EB700970DA --lang=en-US --lang=en-US --log-file="C:\ProgramData\GOG.com\Galaxy\logs\cef.log" --log-severity=info --disable-pdf-extension --disable-spell-checking --uncaught-exception-stack-size=999 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=E183CAEEC51DA963B8D101EB700970DA --renderer-client-id=2 --mojo-platform-channel-handle=1788 /prefetch:1

C:\Program Files\GOG Galaxy\GalaxyClient Helper.exe

GalaxyClient.exe

User:

admin

Company:

GOG.com

Integrity Level:

MEDIUM

Description:

GalaxyClient Helper Application

Exit code:

Version:

1.2.46.172

Modules

Images
c:\program files\gog galaxy\galaxyclient helper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\gog galaxy\pocofoundation.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\gog galaxy\pcre.dll

1904

"C:\Program Files\GOG Galaxy\GalaxyClient.exe" /clientLanguage=en-US

C:\Program Files\GOG Galaxy\GalaxyClient.exe

GalaxySetup.tmp

User:

admin

Company:

GOG.com

Integrity Level:

HIGH

Description:

GOG Galaxy

Exit code:

4294967265

Version:

1.2.46.172

Modules

Images
c:\program files\gog galaxy\galaxyclient.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\gog galaxy\libcef.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll

1960

"C:\ProgramData\GOG.com\Galaxy\redists\overlay\vs2015-redist-x64.exe" /install /quiet /norestart -burn.unelevated BurnPipe.{219BDF85-7841-4D6E-B207-8099CF8AB20C} {8B9784D9-4698-4077-A9C3-DFF6306626BF} 2268

C:\ProgramData\GOG.com\Galaxy\redists\overlay\vs2015-redist-x64.exe

—

vs2015-redist-x64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24212

Exit code:

Version:

14.0.24212.0

Modules

Images
c:\programdata\gog.com\galaxy\redists\overlay\vs2015-redist-x64.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2232

"C:\Program Files\GOG Galaxy\GalaxyClientService.exe"

C:\Program Files\GOG Galaxy\GalaxyClientService.exe

—

services.exe

User:

SYSTEM

Company:

GOG.com

Integrity Level:

SYSTEM

Description:

GalaxyClientService

Exit code:

Version:

1.2.46.172

Modules

Images
c:\program files\gog galaxy\galaxyclientservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\program files\gog galaxy\pocofoundation.dll
c:\windows\system32\advapi32.dll

2260

"C:\Program Files\GOG Galaxy\GOG Galaxy Notifications Renderer.exe"

C:\Program Files\GOG Galaxy\GOG Galaxy Notifications Renderer.exe

—

GalaxyClient.exe

User:

admin

Company:

GOG.com

Integrity Level:

MEDIUM

Description:

GOG Galaxy Notifications Renderer

Exit code:

Version:

1.2.46.172

Modules

Images
c:\program files\gog galaxy\gog galaxy notifications renderer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\gog galaxy\pocofoundation.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\gog galaxy\pcre.dll

2268

"C:\ProgramData\GOG.com\Galaxy\redists\overlay\vs2015-redist-x64.exe" /install /quiet /norestart

C:\ProgramData\GOG.com\Galaxy\redists\overlay\vs2015-redist-x64.exe

—

GalaxySetup.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24212

Exit code:

Version:

14.0.24212.0

Modules

Images
c:\programdata\gog.com\galaxy\redists\overlay\vs2015-redist-x64.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2284

"C:\Users\admin\AppData\Local\Temp\GalaxyInstaller\GalaxySetup.exe" /lang=en_US /webinstaller /product_id=1474713938 /silent /game_name="GWENT: The Witcher Card Game / PTR"

C:\Users\admin\AppData\Local\Temp\GalaxyInstaller\GalaxySetup.exe

GalaxyInstaller.exe

User:

admin

Company:

GOG.com

Integrity Level:

HIGH

Description:

GOG Galaxy

Exit code:

Version:

1.2.46.172

Modules

Images
c:\users\admin\appdata\local\temp\galaxyinstaller\galaxysetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll

Add for printing

Total events

1 354

Read events

1 211

Write events

138

Delete events

Modification events


(PID) Process:	(2628) GOG Galaxy - Game Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GOG Galaxy - Game Installer_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2628) GOG Galaxy - Game Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GOG Galaxy - Game Installer_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2628) GOG Galaxy - Game Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GOG Galaxy - Game Installer_RASAPI32
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(2628) GOG Galaxy - Game Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GOG Galaxy - Game Installer_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760
(PID) Process:	(2628) GOG Galaxy - Game Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GOG Galaxy - Game Installer_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(2628) GOG Galaxy - Game Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GOG Galaxy - Game Installer_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(2628) GOG Galaxy - Game Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GOG Galaxy - Game Installer_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2628) GOG Galaxy - Game Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GOG Galaxy - Game Installer_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2628) GOG Galaxy - Game Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GOG Galaxy - Game Installer_RASMANCS
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(2628) GOG Galaxy - Game Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GOG Galaxy - Game Installer_RASMANCS
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760

Add for printing

Executable files

115

Suspicious files

Text files

223

Unknown types

Dropped files

PID	Process	Filename		Type
3008	GalaxyInstaller.exe	C:\Users\admin\AppData\Local\Temp\GalaxyInstaller\GalaxySetup.exe		—
		MD5:—	SHA256:—
920	GalaxySetup.tmp	C:\Program Files\GOG Galaxy\is-DU583.tmp		—
		MD5:—	SHA256:—
920	GalaxySetup.tmp	C:\Windows\Fonts\is-S1UAB.tmp		—
		MD5:—	SHA256:—
920	GalaxySetup.tmp	C:\Windows\Fonts\is-33G5S.tmp		—
		MD5:—	SHA256:—
920	GalaxySetup.tmp	C:\Windows\Fonts\is-HCO0R.tmp		—
		MD5:—	SHA256:—
920	GalaxySetup.tmp	C:\Windows\Fonts\is-3RFTR.tmp		—
		MD5:—	SHA256:—
920	GalaxySetup.tmp	C:\Windows\Fonts\is-262U4.tmp		—
		MD5:—	SHA256:—
920	GalaxySetup.tmp	C:\Windows\Fonts\is-2MJBQ.tmp		—
		MD5:—	SHA256:—
920	GalaxySetup.tmp	C:\Windows\Fonts\is-J74DE.tmp		—
		MD5:—	SHA256:—
920	GalaxySetup.tmp	C:\Windows\Fonts\is-RKS7S.tmp		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2628	GOG Galaxy - Game Installer.exe	77.79.249.164:443	remote-config.gog.com	GOG Poland sp. z o.o	PL	unknown
3008	GalaxyInstaller.exe	172.227.101.28:443	content-system.gog.com	Akamai Technologies, Inc.	US	whitelisted
3008	GalaxyInstaller.exe	192.229.220.97:443	cdn.gog.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted

DNS requests

Domain	IP	Reputation
remote-config.gog.com	77.79.249.164 77.79.249.165	whitelisted
content-system.gog.com	172.227.101.28	whitelisted
cdn.gog.com	192.229.220.97	unknown

Threats

No threats detected

Add for printing

Process	Message
GalaxyClient.exe	[1008/195934.079:ERROR:main_delegate.cc(718)] Could not load cef_extensions.pak
GalaxyClient Helper.exe	[1008/195935.402:ERROR:main_delegate.cc(718)] Could not load cef_extensions.pak
GalaxyClient.exe	[1008/195936.376:INFO:CONSOLE(1)] "INFO: User have changed, ID is: null", source: file:///C:/Program%20Files/GOG%20Galaxy/web/scripts/mainOur.js (1)

General Info

GOG Galaxy - Game Installer.exe

80FF42038E514EDBDC1A915B5C7CC559

3E2FF238048C0C883C734D8CEC62C16AB04897C3

F7702F63AE77C17ACE4C446D15B40A2FA9BA94B786A10A1741A8C1AE6830DD67

6144:vGJIL+f2cTrVcRS8LyYSVougxVZ/WlNf2zZzy+vulDCClJGcq3S2N05:uKL+fzrVcR1OuBZ/Wz2gN3Gcq30

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Changes the autorun value in the registry

Application was dropped or rewritten from another process

SUSPICIOUS

Reads Windows owner settings

Reads the Windows organization settings

Executable content was dropped or overwritten

Creates files in the program directory

Searches for installed software

Creates files in the Windows directory

Modifies the open verb of a shell class

Application launched itself

INFO

Loads dropped or rewritten executable

Creates a software uninstall entry

Application was dropped or rewritten from another process

Reads settings of System Certificates

Dropped object may contain Bitcoin addresses

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings