MD5: 11861f0e26a72aae6a994856dbe1f50b
SHA1: 7c02ba5af742a179953252b6859d92654aa99d43
SHA256: 0e2386992266e74c764046029d3561af541ef5a0c834499b664a7eaa172a59cd
SSDeep: 6144:cAceQ9R1nt/2TdeEoQaOUNmpNX uS1DOgbt/gJrXEnb9G2EgqzUtuACQpQk9muzj:cteent8dZ7UNmsDfdb7GzBAek9VJt
Size: 417864 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: GOG Sp. z o.o.
Created at: 2018-05-23 15:25:01
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:3584
GoogleUpdate.exe:2592
GalaxyInstaller.exe:3832
%original file name%.exe:3412
GalaxySetup.tmp:744
wusa.exe:2440
vcredist_x86_2015.exe:568
vcredist_x86_2015.exe:1736
vs2015-redist-x64.exe:3528
GalaxySetup.exe:1872

The Trojan injects its code into the following process(es):

GoogleUpdate.exe:2716

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:3584 makes changes in the file system.
The Trojan deletes the following file(s):

%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59\54.0.2840.59_chrome_installer.exe (0 bytes)

The process GalaxyInstaller.exe:3832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\GOG.com\Galaxy\logs\InstallerWebinstaller.log (751 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GalaxyInstaller\GalaxySetup.exe (6362246 bytes)

The process %original file name%.exe:3412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 (434 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C (372 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DB145CFEEC544B1582FED1ADA3370DD (320 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DB145CFEEC544B1582FED1ADA3370DD (531 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\1.0[1].0 (729 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar255B.tmp (2712 bytes)
C:\ProgramData\GOG.com\Galaxy\logs\InstallerBootstrapper.log (5278 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab255A.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GalaxyInstaller\GalaxyInstaller.exe (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GalaxyInstaller\remoteconfig.json (729 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C (531 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GalaxyInstaller\icon.ico (4210 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar255B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab255A.tmp (0 bytes)

The process GalaxySetup.tmp:744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-RUC54.tmp (15 bytes)
%Program Files%\GOG Galaxy\is-VO01K.tmp (3073 bytes)
%Program Files%\GOG Galaxy\web\images\gwentBanner\is-9H0L2.tmp (601 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\js\is-R57NG.tmp (6841 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-8VM2P.tmp (1 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-M5FBM.tmp (9605 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\es-MX\is-RHEDD.tmp (56 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-1Q746.tmp (37 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-R7MT9.tmp (1425 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-DCPO9.tmp (2 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-8SLP8.tmp (44 bytes)
%Program Files%\GOG Galaxy\web\scripts\is-78RP5.tmp (1281 bytes)
%Program Files%\GOG Galaxy\web\locales\es-ES\is-EQHNL.tmp (56 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-IRLCE.tmp (39 bytes)
%Program Files%\GOG Galaxy\unins000.dat (23634 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-D3CI0.tmp (3073 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-VOEAC.tmp (38 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\fr-FR\is-HIVD8.tmp (1 bytes)
%Program Files%\GOG Galaxy\is-S8PKF.tmp (1425 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-7UPVL.tmp (52 bytes)
%Program Files%\GOG Galaxy\web\is-H921P.tmp (909 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-OPJ8V.tmp (7971 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-IKVOP.tmp (13122 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-7NPH7.tmp (59 bytes)
%Program Files%\GOG Galaxy\web\locales\es-MX\is-EKUA6.tmp (56 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com\GOG Galaxy\GOG Galaxy.lnk (1 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\pt-BR\is-CQFO1.tmp (981 bytes)
%Program Files%\GOG Galaxy\platforms\is-4MMFU.tmp (7385 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-H7S3A.tmp (26 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-R4HAA.tmp (114989 bytes)
C:\Windows\Fonts\is-8JARL.tmp (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-LBUP5.tmp\botva2.dll (64 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\pt-PT\is-8SJ09.tmp (54 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-ELDPT.tmp (61370 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\ja-JP\is-T0L5C.tmp (60 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-5FFO5.tmp (58 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-LTLKU.tmp (51 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-HTN8S.tmp (39 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-8JP2R.tmp (601 bytes)
%Program Files%\GOG Galaxy\web\styles\client\is-S9BIL.tmp (20 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-KA6JD.tmp (7433 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-JFSGB.tmp (3 bytes)
%Program Files%\GOG Galaxy\web\images\gwentLogo\is-33D0R.tmp (21 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-P1OEL.tmp (1425 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-MFFVN.tmp (1281 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-LM3RM.tmp (517726 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-RJOIS.tmp (39 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\js\is-4LNET.tmp (3073 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-IBVA5.tmp (601 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-6RPRH.tmp (59 bytes)
C:\Windows\Fonts\is-99NB0.tmp (4185 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-ETCND.tmp (13 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-9GC8E.tmp (2 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-33CHM.tmp (76782 bytes)
%Program Files%\GOG Galaxy\web\styles\client\is-ABOVH.tmp (48 bytes)
%Program Files%\GOG Galaxy\web\scripts\is-6HR7S.tmp (2321 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-70LL1.tmp (601 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-VA64H.tmp (2 bytes)
%Program Files%\GOG Galaxy\web\audio\is-C71U3.tmp (4185 bytes)
%Program Files%\GOG Galaxy\is-C62G8.tmp (13122 bytes)
%Program Files%\GOG Galaxy\locales\is-G21KO.tmp (1281 bytes)
C:\Windows\Fonts\is-L4ASO.tmp (4185 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-RFQ3I.tmp (2 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-4OHVM.tmp (1281 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-P9QC0.tmp (39 bytes)
%Program Files%\GOG Galaxy\is-0TDCO.tmp (2321 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-JT8IJ.tmp (176 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-S9DGI.tmp (1281 bytes)
%Program Files%\GOG Galaxy\is-HMC0O.tmp (2105 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-BVCMS.tmp (26 bytes)
%Program Files%\GOG Galaxy\web\scripts\is-2M131.tmp (63 bytes)
%Program Files%\GOG Galaxy\web\scripts\is-BKBMD.tmp (601 bytes)
%Program Files%\GOG Galaxy\is-L8MRA.tmp (33350 bytes)
%Program Files%\GOG Galaxy\web\scripts\is-5CTK6.tmp (601 bytes)
%Program Files%\GOG Galaxy\web\locales\fr-FR\is-C9MG6.tmp (59 bytes)
%Program Files%\GOG Galaxy\web\fonts\is-2U4IT.tmp (4185 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-AM0LM.tmp (46 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-VJIM1.tmp (1281 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-FUNEP.tmp (4545 bytes)
%Program Files%\GOG Galaxy\is-QI6PF.tmp (30812 bytes)
%Program Files%\GOG Galaxy\locales\is-88PVE.tmp (1281 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-MVD9G.tmp (40 bytes)
%Program Files%\GOG Galaxy\is-DE8HA.tmp (4545 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\it-IT\is-04644.tmp (55 bytes)
%Program Files%\GOG Galaxy\locales\is-M38SK.tmp (673 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\ru-RU\is-T52QN.tmp (1 bytes)
%Program Files%\GOG Galaxy\web\locales\en-US\is-KREOP.tmp (54 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-9L42N.tmp (2 bytes)
C:\Windows\Fonts\is-IFKS0.tmp (4185 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-C911P.tmp (13 bytes)
%Program Files%\GOG Galaxy\web\locales\pl-PL\is-7HKMB.tmp (57 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\fr-FR\is-KL4FN.tmp (59 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-12QAB.tmp (1281 bytes)
%Program Files%\GOG Galaxy\web\scripts\is-CVD1T.tmp (2 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-84JFA.tmp (57 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-18\is-5TU2S.tmp (110924 bytes)
%Program Files%\GOG Galaxy\web\locales\ja-JP\is-VBIOB.tmp (924 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-FRT8U.tmp (9605 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-187O0.tmp (1281 bytes)
%Program Files%\GOG Galaxy\web\locales\es-MX\is-O8DJQ.tmp (916 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-P2KQM.tmp (50 bytes)
%Program Files%\GOG Galaxy\web\locales\zh-Hant\is-RIIPS.tmp (54 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\en-US\is-D3FMH.tmp (54 bytes)
%Program Files%\GOG Galaxy\web\fonts\is-2K8KR.tmp (4185 bytes)
%Program Files%\GOG Galaxy\is-UI57V.tmp (4545 bytes)
%Program Files%\GOG Galaxy\licences\Boost C Libraries\is-A65VS.tmp (1 bytes)
%Program Files%\GOG Galaxy\is-QV0JU.tmp (1425 bytes)
%Program Files%\GOG Galaxy\web\images\gogGalaxyLogo\is-NO04O.tmp (17 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-Q198Q.tmp (38 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-15\is-94UMK.tmp (82840 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\pl-PL\is-9E927.tmp (57 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-1UPTB.tmp (22 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-Q8PIR.tmp (41 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-R4G6L.tmp (26 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-9QBUT.tmp (37 bytes)
C:\Windows\Fonts\is-6JQML.tmp (4185 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-1K03T.tmp (1425 bytes)
%Program Files%\GOG Galaxy\is-CAMFS.tmp (7971 bytes)
%Program Files%\GOG Galaxy\web\is-S4DVE.tmp (1425 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-5CSC3.tmp (39 bytes)
%Program Files%\GOG Galaxy\web\audio\is-U3BMB.tmp (601 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-HPCF6.tmp (39 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-TU2QD.tmp (10 bytes)
%Program Files%\GOG Galaxy\web\is-KHJLI.tmp (1 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-8GGV7.tmp (54 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-LBUP5.tmp\vcredist_x86_2015.exe (108599 bytes)
%Program Files%\GOG Galaxy\unins000.msg (654 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-QHNQP.tmp (2 bytes)
%Program Files%\GOG Galaxy\is-KSVHJ.tmp (4545 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-837K2.tmp (50 bytes)
%Program Files%\GOG Galaxy\web\is-CTNU2.tmp (14 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-BISQ7.tmp (59 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-GA1A1.tmp (3361 bytes)
%Program Files%\GOG Galaxy\is-Q7ODU.tmp (601 bytes)
%Program Files%\GOG Galaxy\web\scripts\is-EEU5A.tmp (28 bytes)
%Program Files%\GOG Galaxy\is-3NUN2.tmp (1281 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-QRO7U.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-LBUP5.tmp\innocallback.dll (65 bytes)
%Program Files%\GOG Galaxy\licences\LatoWeb Font\is-N7NF3.tmp (4 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-V5EGS.tmp (22575 bytes)
%Program Files%\GOG Galaxy\web\is-6K6QJ.tmp (37 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\pl-PL\is-7GTTF.tmp (1 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-71NS2.tmp (35 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-V1GEK.tmp (14 bytes)
%Program Files%\GOG Galaxy\web\locales\it-IT\is-JDQ5Q.tmp (55 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-A4TOQ.tmp (35 bytes)
%Program Files%\GOG Galaxy\web\images\gogGalaxyLogo\is-CLHSH.tmp (4 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-7C0AN.tmp (3073 bytes)
%Program Files%\GOG Galaxy\web\styles\client\is-G2S02.tmp (673 bytes)
%Program Files%\GOG Galaxy\locales\is-H3N24.tmp (1281 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-0Q7VI.tmp (2 bytes)
%Program Files%\GOG Galaxy\web\images\gogGalaxyLogo\is-F44CS.tmp (10 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-6I2E5.tmp (53 bytes)
%Program Files%\GOG Galaxy\is-01R46.tmp (38249 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-DAFTO.tmp (2321 bytes)
%Program Files%\GOG Galaxy\web\scripts\is-020J9.tmp (21 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-LO0T4.tmp (49 bytes)
%Program Files%\GOG Galaxy\web\images\gwentBanner\is-0D1GB.tmp (673 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-KL6KQ.tmp (673 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\zh-Hans\is-7BRGN.tmp (54 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-CKCE2.tmp (2321 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-7SDPF.tmp (39 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-1K4L6.tmp (2 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-2II99.tmp (673 bytes)
%Program Files%\GOG Galaxy\locales\is-L7E4J.tmp (1281 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-76D1O.tmp (2 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-QT67A.tmp (601 bytes)
%Program Files%\GOG Galaxy\web\locales\pl-PL\is-371IV.tmp (1 bytes)
%Program Files%\GOG Galaxy\is-IAQLK.tmp (601 bytes)
%Program Files%\GOG Galaxy\web\styles\overlay\is-G2JG9.tmp (601 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-2D61S.tmp (23062 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-LBUP5.tmp\_isetup\_isdecmp.dll (48 bytes)
%Program Files%\GOG Galaxy\is-R6G78.tmp (34583 bytes)
%Program Files%\GOG Galaxy\is-ECG7S.tmp (5873 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\zh-Hant\is-FJQER.tmp (54 bytes)
%Program Files%\GOG Galaxy\web\images\gwentLogo\is-PMBFU.tmp (7 bytes)
%Program Files%\GOG Galaxy\is-PR68G.tmp (2321 bytes)
C:\Users\Public\Desktop\GOG Galaxy.lnk (999 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-JIJRT.tmp (673 bytes)
%Program Files%\GOG Galaxy\web\images\gogGalaxyLogo\is-8KOVQ.tmp (7 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\de-DE\is-6704P.tmp (57 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-76JCE.tmp (2 bytes)
%Program Files%\GOG Galaxy\web\is-AM1JJ.tmp (8 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-NSFB7.tmp (39 bytes)
%Program Files%\GOG Galaxy\locales\is-UI5LQ.tmp (1281 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-K56D5.tmp (59 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-581M2.tmp (673 bytes)
%Program Files%\GOG Galaxy\is-EAF21.tmp (1425 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-E30BI.tmp (37 bytes)
%Program Files%\GOG Galaxy\web\locales\ru-RU\is-R1SQR.tmp (601 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-LH1DO.tmp (33350 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-07EDC.tmp (1281 bytes)
%Program Files%\GOG Galaxy\locales\is-UKBV9.tmp (1281 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-TOABH.tmp (13 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-FDHSF.tmp (5 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-N9CMU.tmp (35505 bytes)
%Program Files%\GOG Galaxy\is-TSJ6B.tmp (601 bytes)
%Program Files%\GOG Galaxy\web\locales\ja-JP\is-H549C.tmp (60 bytes)
C:\Windows\Fonts\is-DP3Q8.tmp (4185 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-S14ET.tmp (38 bytes)
%Program Files%\GOG Galaxy\web\locales\en-US\is-47SLT.tmp (916 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-18\is-8U9UO.tmp (85228 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-3OCQN.tmp (4 bytes)
%Program Files%\GOG Galaxy\web\styles\client\is-7JINM.tmp (40 bytes)
C:\Windows\Fonts\is-LLC7F.tmp (4185 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-G7HB4.tmp (44 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-UASEI.tmp (13 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-JBAIQ.tmp (601 bytes)
%Program Files%\GOG Galaxy\web\locales\pt-BR\is-LOMN8.tmp (57 bytes)
%Program Files%\GOG Galaxy\web\is-RJO8R.tmp (601 bytes)
%Program Files%\GOG Galaxy\is-E4SJN.tmp (3361 bytes)
%Program Files%\GOG Galaxy\web\locales\de-DE\is-234K0.tmp (57 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-OLC3A.tmp (15 bytes)
%Program Files%\GOG Galaxy\web\scripts\is-5U3FD.tmp (601 bytes)
%Program Files%\GOG Galaxy\web\locales\zh-Hans\is-GK4G7.tmp (54 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-SKS8N.tmp (10 bytes)
%Program Files%\GOG Galaxy\is-0MJIQ.tmp (7726 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-GCR0H.tmp (6841 bytes)
%Program Files%\GOG Galaxy\web\scripts\is-ONLL3.tmp (4185 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-24KQ7.tmp (2321 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-68B77.tmp (8657 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-FV1PJ.tmp (59 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-5S66G.tmp (49 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-GM7VA.tmp (673 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-04DA8.tmp (57 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-UG91F.tmp (54 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-II4OA.tmp (11 bytes)
%Program Files%\GOG Galaxy\locales\is-3INNB.tmp (673 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-8UL9A.tmp (673 bytes)
%Program Files%\GOG Galaxy\licences\POCO C Libraries\is-22DK1.tmp (1 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\en-US\is-12NCS.tmp (916 bytes)
%Program Files%\GOG Galaxy\licences\Chromium Embedded Framework\is-RIUOI.tmp (1 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-G33H8.tmp (1 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-IRM9J.tmp (2321 bytes)
%Program Files%\GOG Galaxy\is-7JBNG.tmp (7433 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\pt-PT\is-9O0IP.tmp (916 bytes)
%Program Files%\GOG Galaxy\is-87DPG.tmp (9605 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\ru-RU\is-F6UTI.tmp (601 bytes)
%Program Files%\GOG Galaxy\web\audio\is-TBIAK.tmp (2105 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-VEMCQ.tmp (2 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-B2K4C.tmp (47 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-BFNJA.tmp (51 bytes)
%Program Files%\GOG Galaxy\is-O8LJ4.tmp (15116 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-17\is-R32TV.tmp (86230 bytes)
%Program Files%\GOG Galaxy\web\images\gwentLogo\is-6E9II.tmp (20 bytes)
%Program Files%\GOG Galaxy\web\scripts\is-IA5TI.tmp (59 bytes)
%Program Files%\GOG Galaxy\imageformats\is-BQOEB.tmp (1281 bytes)
%Program Files%\GOG Galaxy\is-5THVN.tmp (76782 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-GGHSO.tmp (2321 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\css\is-NAMA2.tmp (57 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-UO22F.tmp (40 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-R7ANV.tmp (60 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-BNL5P.tmp (4545 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-VB4ES.tmp (1281 bytes)
%Program Files%\GOG Galaxy\web\audio\is-UH8NR.tmp (2105 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-JD8TR.tmp (22 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-17\is-UMV3I.tmp (112480 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-15\is-O0K3S.tmp (125140 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-M7F32.tmp (39 bytes)
%Program Files%\GOG Galaxy\web\images\gwentBanner\is-JBP07.tmp (1281 bytes)
%Program Files%\GOG Galaxy\is-28QJK.tmp (673 bytes)
%Program Files%\GOG Galaxy\web\locales\pt-BR\is-PFFMT.tmp (981 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-5R569.tmp (3 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-16\is-5L5P8.tmp (85696 bytes)
%Program Files%\GOG Galaxy\is-BBKCC.tmp (1425 bytes)
%Program Files%\GOG Galaxy\web\locales\pt-PT\is-CC18G.tmp (54 bytes)
%Program Files%\GOG Galaxy\licences\JsonCPP\is-44A19.tmp (2 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-P0HV4.tmp (13 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-H292O.tmp (42 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-BDTAI.tmp (45 bytes)
%Program Files%\GOG Galaxy\is-74VLL.tmp (9605 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-04JC7.tmp (58 bytes)
%Program Files%\GOG Galaxy\licences\Apache\is-JSFDC.tmp (9 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-0I73C.tmp (601 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-EGQJU.tmp (14 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-8HLL1.tmp (48 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\de-DE\is-J05GH.tmp (996 bytes)
%Program Files%\GOG Galaxy\licences\zlib\is-4V222.tmp (5 bytes)
%Program Files%\GOG Galaxy\web\styles\client\is-IF6H1.tmp (51 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-3C3I9.tmp (601 bytes)
%Program Files%\GOG Galaxy\licences\QT Libraries\is-R6C7Q.tmp (27 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-FG1IU.tmp (601 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-8A09T.tmp (7726 bytes)
%Program Files%\GOG Galaxy\web\styles\components\findFriendsWindow\is-Q3899.tmp (24 bytes)
%Program Files%\GOG Galaxy\is-GU4OV.tmp (51303 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-TJJPE.tmp (26096 bytes)
%Program Files%\GOG Galaxy\is-419DU.tmp (2321 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-N14J6.tmp (50 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-OOP2B.tmp (52 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-18AOQ.tmp (2321 bytes)
%Program Files%\GOG Galaxy\licences\libcurl\is-S2BVE.tmp (1 bytes)
%Program Files%\GOG Galaxy\is-GIQ01.tmp (517726 bytes)
%Program Files%\GOG Galaxy\web\styles\client\is-BOBIL.tmp (45 bytes)
%Program Files%\GOG Galaxy\licences\OpenSSL\is-VAH9A.tmp (6 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\it-IT\is-LHG6P.tmp (916 bytes)
%Program Files%\GOG Galaxy\web\fonts\is-LB5S1.tmp (4185 bytes)
%Program Files%\GOG Galaxy\web\fonts\is-PLKN9.tmp (4185 bytes)
%Program Files%\GOG Galaxy\web\is-DIKMK.tmp (1 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-HPKGF.tmp (22 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-JIHHI.tmp (2 bytes)
%Program Files%\GOG Galaxy\is-CAOMK.tmp (601 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-1AO3I.tmp (45 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-0K71S.tmp (14 bytes)
%Program Files%\GOG Galaxy\web\is-1UMI2.tmp (1 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-U554V.tmp (31 bytes)
%Program Files%\GOG Galaxy\web\locales\ru-RU\is-31C3R.tmp (1 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-R29GO.tmp (1425 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-NCO68.tmp (48 bytes)
%Program Files%\GOG Galaxy\web\locales\zh-Hans\is-G42A9.tmp (909 bytes)
%Program Files%\GOG Galaxy\is-19HQU.tmp (22575 bytes)
%Program Files%\GOG Galaxy\is-R20EK.tmp (31786 bytes)
%Program Files%\GOG Galaxy\web\locales\de-DE\is-KPB0D.tmp (996 bytes)
%Program Files%\GOG Galaxy\web\styles\common\is-MLA24.tmp (595 bytes)
%Program Files%\GOG Galaxy\web\images\gwentBanner\is-0E8HQ.tmp (26 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-PUGNQ.tmp (1 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-N96G6.tmp (45 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-AUGNL.tmp (14 bytes)
%Program Files%\GOG Galaxy\web\audio\is-S8V8J.tmp (1425 bytes)
%Program Files%\GOG Galaxy\is-T0L4B.tmp (3073 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\ko-KR\is-RF5FD.tmp (54 bytes)
%Program Files%\GOG Galaxy\web\locales\pt-PT\is-8B80M.tmp (916 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-I8JNT.tmp (2105 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-ER4V9.tmp (14 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-94LL9.tmp (39 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-OLD4B.tmp (601 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\ja-JP\is-84IKG.tmp (924 bytes)
%Program Files%\GOG Galaxy\is-5M57H.tmp (673 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-DSK9B.tmp (14 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\pt-BR\is-B6SO1.tmp (57 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-KEN5M.tmp (39 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-RGCD7.tmp (44 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\is-MBDI3.tmp (673 bytes)
%Program Files%\GOG Galaxy\web\images\gwentBanner\is-R6CSK.tmp (54 bytes)
%Program Files%\GOG Galaxy\web\angularLocales\is-AB1LA.tmp (2 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-ANRT4.tmp (601 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\zh-Hans\is-UAOK1.tmp (909 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-SKJT2.tmp (39 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-KQENL.tmp (42 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-SCPVT.tmp (30812 bytes)
%Program Files%\GOG Galaxy\web\images\gwentLogo\is-71KTF.tmp (16 bytes)
%Program Files%\GOG Galaxy\web\locales\it-IT\is-U0KL1.tmp (916 bytes)
C:\Windows\Fonts\is-MM1CU.tmp (4185 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\es-MX\is-OT028.tmp (916 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-16\is-8A74G.tmp (114298 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-K8KJV.tmp (1 bytes)
%Program Files%\GOG Galaxy\locales\is-EDUMM.tmp (1281 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-JLI41.tmp (39 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-UOTDF.tmp (13 bytes)
%Program Files%\GOG Galaxy\web\locales\es-ES\is-RMGHM.tmp (916 bytes)
C:\ProgramData\GOG.com\Galaxy\changelogs\is-FR5S0.tmp (2 bytes)
%Program Files%\GOG Galaxy\web\scripts\is-5VPA1.tmp (23 bytes)
%Program Files%\GOG Galaxy\web\locales\fr-FR\is-H3ORE.tmp (1 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-VEVDP.tmp (1281 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-1UEPS.tmp (56 bytes)
%Program Files%\GOG Galaxy\is-MLSAT.tmp (6841 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2018-06-18 #001.txt (2865136 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-SIBMA.tmp (1281 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\es-ES\is-D8DLO.tmp (56 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-BTM6O.tmp (2321 bytes)
%Program Files%\GOG Galaxy\is-QQT9A.tmp (26096 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-LDUAD.tmp (601 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-U63UE.tmp (59 bytes)
C:\ProgramData\GOG.com\Galaxy\redists\web\locales\es-ES\is-GLK0G.tmp (916 bytes)
%Program Files%\GOG Galaxy\web\microserviceMenu\img\is-BEFOO.tmp (13 bytes)
%Program Files%\GOG Galaxy\web\locales\ko-KR\is-CD4HF.tmp (54 bytes)
%Program Files%\GOG Galaxy\is-IT07T.tmp (7547 bytes)
%Program Files%\GOG Galaxy\web\scripts\is-AVTI7.tmp (2105 bytes)

The process wusa.exe:2440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\WindowsUpdate.log (13709 bytes)
C:\989f8654a2a9bdd87e\$dpx$.tmp\de0df680e990594d8bff4484efdf984b.tmp (468 bytes)
C:\989f8654a2a9bdd87e (4 bytes)
C:\989f8654a2a9bdd87e\$dpx$.tmp\27d9f57d6d77e84d879ace4bf2d00ce6.tmp (2552 bytes)
C:\Windows\Logs\DPX\setupact.log (3028 bytes)
C:\989f8654a2a9bdd87e\$dpx$.tmp\476e18042842f849bfd39dd8de4e7dc8.tmp (6722 bytes)
C:\989f8654a2a9bdd87e\$dpx$.tmp\a25f4146e9855344b6c4b2c88ab51598.tmp (444 bytes)

The Trojan deletes the following file(s):

C:\989f8654a2a9bdd87e\Windows6.1-KB2999226-x86.cab (0 bytes)
C:\989f8654a2a9bdd87e (0 bytes)
C:\989f8654a2a9bdd87e\WSUSSCAN.cab (0 bytes)
C:\989f8654a2a9bdd87e\Windows6.1-KB2999226-x86-pkgProperties.txt (0 bytes)
C:\989f8654a2a9bdd87e\Windows6.1-KB2999226-x86.xml (0 bytes)
C:\989f8654a2a9bdd87e\$dpx$.tmp (0 bytes)

The process vcredist_x86_2015.exe:568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab91B3.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F90F18257CBB4D84216AC1E1F3BB2C76 (550 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar91B4.tmp (2712 bytes)
C:\ProgramData\Package Cache\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\state.rsm (1808 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (732 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21 (554 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20180618173208_001_vcRuntimeAdditional_x86.log (127738 bytes)
C:\ProgramData\Package Cache\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\VC_redist.x86.exe (5873 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76 (756 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (781 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21 (912 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20180618173208_000_vcRuntimeMinimum_x86.log (126936 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab91B3.tmp (0 bytes)
C:\ProgramData\Package Cache\.unverified (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar91B4.tmp (0 bytes)

The process vcredist_x86_2015.exe:1736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1029\license.rtf (3284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\cab54A5CABBE7274D8A22EB58060AAB7623 (16944 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1055\license.rtf (2663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1046\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1041\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\thm.xml (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\vcRuntimeMinimum_x86 (1712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\license.rtf (2722 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\2052\license.rtf (2591 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\2052\thm.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1042\license.rtf (7601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1028\thm.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1040\license.rtf (2201 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1031\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1040\thm.wxl (577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20180618173208.log (51040 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1028\license.rtf (2682 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1045\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\thm.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\BootstrapperApplicationData.xml (897 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\Windows7_MSU_x86 (10528 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1036\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\wixstdba.dll (2210 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.be\VC_redist.x86.exe (106328 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1055\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1031\license.rtf (2050 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\3082\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1049\license.rtf (4025 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1029\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\3082\license.rtf (2303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1042\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\vcRuntimeAdditional_x86 (2160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1036\license.rtf (2922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1045\license.rtf (2597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\logo.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1046\license.rtf (2124 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1041\license.rtf (3662 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\cabB3E1576D1FEFBB979E13B1A5379E0B16 (76515 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1049\thm.wxl (4 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1029\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1055\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1046\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1036 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1041\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1055 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\3082 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1031 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1045\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\2052\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\2052\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1042\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1028\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1040\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1031\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.be (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\wixstdba.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1040\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1028\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\BootstrapperApplicationData.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1036\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1049 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1046 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1055\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1045 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1042 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1031\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1040 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1041 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1049\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1029\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\3082\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1042\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\3082\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1028 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1029 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1036\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1045\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d} (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\2052 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\logo.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1046\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1041\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\thm.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1049\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.be\VC_redist.x86.exe (0 bytes)

The process vs2015-redist-x64.exe:3528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1031\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1055\license.rtf (2263 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\wixstdba.dll (1890 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1055\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1031\license.rtf (1730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\logo.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1040\license.rtf (1881 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\thm.xml (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\thm.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\3082\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\2052\thm.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1040\thm.wxl (497 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1029\license.rtf (2804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\BootstrapperApplicationData.xml (817 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1042\license.rtf (7401 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1046\license.rtf (1804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1045\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1042\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1041\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1046\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1036\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1045\license.rtf (2197 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1029\thm.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1049\thm.wxl (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_amd64_20180618173253.log (21751 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1036\license.rtf (2522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1028\license.rtf (2202 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1028\thm.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\2052\license.rtf (3031 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1049\license.rtf (3465 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\license.rtf (2322 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1041\license.rtf (4022 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\3082\license.rtf (1983 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1031\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1055\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\wixstdba.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d} (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1055\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1031\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1049\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1040\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\thm.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\2052 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1049 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1040 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1041 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1042 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\2052\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1045 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1046 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1040\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1028 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1029 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1029\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\BootstrapperApplicationData.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1042\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1046\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1045\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1042\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1041\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1046\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1036\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1045\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1029\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1036\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1028\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1028\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\logo.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\2052\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1055 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\3082 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\3082\thm.wxl (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1049\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1041\license.rtf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1036 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1031 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\3082\license.rtf (0 bytes)

The process GalaxySetup.exe:1872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-1D2BU.tmp\GalaxySetup.tmp (50 bytes)

Registry activity

The process GoogleUpdate.exe:3584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1529305202"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "4186"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastRollCall" = "4186"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1529305202"
"DayOfLastActivity" = "4186"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{B80DBE63-1990-4361-A107-DBCCD7DB78F5}]
"PersistedPingTime" = "131738057800188412"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Hint" = ""

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Hint" = ""

[HKLM\SOFTWARE\Google\Update\PersistedPings\{2A442A5D-09A1-4692-80B0-C7F94C36480D}]
"PersistedPingString" = ""

[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "4186"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1529305202"
"ping_freshness" = "{3BD54845-A658-48AF-83CF-F883F3DE0510}"

[HKLM\SOFTWARE\Google\Update]
"LastChecked" = "1529332180"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"(Default)" = "1:b8:"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.31.5"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Name" = "Stable"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ping_freshness" = "{046C7C6D-2F6E-4F61-9871-C4E81EB410C5}"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ActivePingDayStartSec" = "1529305202"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Name" = "Everyone Else"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{B80DBE63-1990-4361-A107-DBCCD7DB78F5}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "4186"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{2A442A5D-09A1-4692-80B0-C7F94C36480D}]
"PersistedPingTime" = "131738057723748278"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"ping_freshness" = "{D2786935-CF5E-4A7D-AB11-5F1B35C6D17D}"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"(Default)" = "1:9co:"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1529332180"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1529305202"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{2A442A5D-09A1-4692-80B0-C7F94C36480D}]
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableCount"
"dr"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"

[HKLM\SOFTWARE\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"tttoken"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"

The process GalaxyInstaller.exe:3832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\GalaxyInstaller_RASMANCS]
"ConsoleTracingMask" = "4294901760"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\11861f0e26a72aae6a994856dbe1f50b_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\11861f0e26a72aae6a994856dbe1f50b_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\11861f0e26a72aae6a994856dbe1f50b_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\11861f0e26a72aae6a994856dbe1f50b_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\11861f0e26a72aae6a994856dbe1f50b_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\11861f0e26a72aae6a994856dbe1f50b_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\11861f0e26a72aae6a994856dbe1f50b_RASMANCS]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\11861f0e26a72aae6a994856dbe1f50b_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process GalaxySetup.tmp:744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash" = "F3 DB 30 60 0B CB 17 ED 2F EE 9E 95 4E 46 D5 8A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7258BA11-600C-430E-A759-27E2C691A335}_is1]
"Inno Setup: Setup Version" = "5.5.9 (u)"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFiles0000" = "%Program Files%\GOG Galaxy\chrome_elf.dll, %Program Files%\GOG Galaxy\CrashReporter.exe, %Program Files%\GOG Galaxy\d3dcompiler_43.dll, %Program Files%\GOG Galaxy\d3dcompiler_47.dll, %Program Files%\GOG Galaxy\expat.dll, %Program Files%\GOG Galaxy\GalaxyClient Helper.exe, %Program Files%\GOG Galaxy\GalaxyClient.exe, %Program Files%\GOG Galaxy\GalaxyClientService.exe, %Program Files%\GOG Galaxy\GOG Galaxy Notifications Renderer.exe, %Program Files%\GOG Galaxy\libcef.dll, %Program Files%\GOG Galaxy\libeay32.dll, %Program Files%\GOG Galaxy\libEGL.dll, %Program Files%\GOG Galaxy\libGLESv2.dll, %Program Files%\GOG Galaxy\pcre.dll, %Program Files%\GOG Galaxy\PocoCrypto.dll, %Program Files%\GOG Galaxy\PocoData.dll, %Program Files%\GOG Galaxy\PocoDataSQLite.dll, %Program Files%\GOG Galaxy\PocoFoundation.dll, %Program Files%\GOG Galaxy\PocoJSON.dll, %Program Files%\GOG Galaxy\PocoNet.dll, %Program Files%\GOG Galaxy\PocoNetSSL.dll, %Program Files%\GOG Galaxy\PocoUtil.dll, %Program Files%\GOG Galaxy\PocoXml.dll, C:\Progá°£:"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato Bold" = "LatoWeb-Bold.ttf"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7258BA11-600C-430E-A759-27E2C691A335}_is1]
"URLUpdateInfo" = "http://www.gog.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7258BA11-600C-430E-A759-27E2C691A335}_is1]
"Inno Setup: User" = "%CurrentUserName%"
"InstallDate" = "20180618"
"EstimatedSize" = "399960"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato" = "LatoWeb-Regular.ttf"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7258BA11-600C-430E-A759-27E2C691A335}_is1]
"UninstallString" = "%Program Files%\GOG Galaxy\unins000.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato SemiboldItalic" = "LatoWeb-SemiboldItalic.ttf"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"SessionHash" = "3D 92 6C E3 00 2B 8A C9 5E 90 BF 95 38 AA E0 8E"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato LightItalic" = "LatoWeb-LightItalic.ttf"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7258BA11-600C-430E-A759-27E2C691A335}_is1]
"NoRepair" = "1"
"DisplayName" = "GOG Galaxy"
"Publisher" = "GOG.com"
"InstallLocation" = "%Program Files%\GOG Galaxy\"

[HKLM\SOFTWARE\GOG.com\GalaxyClient]
"clientExecutable" = "GalaxyClient.exe"
"Version" = "1.2.44.30"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato Light" = "LatoWeb-Light.ttf"
"Lato Semibold" = "LatoWeb-Semibold.ttf"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7258BA11-600C-430E-A759-27E2C691A335}_is1]
"DisplayIcon" = "%Program Files%\GOG Galaxy\unins000.exe"
"Inno Setup: App Path" = "%Program Files%\GOG Galaxy"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato BoldItalic" = "LatoWeb-BoldItalic.ttf"
"Lato Italic" = "LatoWeb-Italic.ttf"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]
"GalaxyClient" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7258BA11-600C-430E-A759-27E2C691A335}_is1]
"HelpLink" = "http://www.gog.com/"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7258BA11-600C-430E-A759-27E2C691A335}_is1]
"Inno Setup: Language" = "English"
"Inno Setup: Icon Group" = "GOG.com"
"NoModify" = "1"
"QuietUninstallString" = "%Program Files%\GOG Galaxy\unins000.exe /SILENT"

[HKLM\SOFTWARE\GOG.com\GalaxyClient\paths]
"client" = "%Program Files%\GOG Galaxy"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Owner" = "E8 02 00 00 1D 5B 0D 1C 11 07 D4 01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7258BA11-600C-430E-A759-27E2C691A335}_is1]
"URLInfoAbout" = "http://www.gog.com/"
"Inno Setup: Selected Tasks" = "desktopicon"
"Inno Setup: Deselected Tasks" = ""

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"GalaxyClient" = ""

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process wusa.exe:2440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WUSA]
"WUSACommandLine" = "/quiet"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WUSA]
"WUSACommandLine"

The process vcredist_x86_2015.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"Installed" = "1"
"UninstallString" = "C:\ProgramData\Package Cache\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\VC_redist.x86.exe /uninstall"

[HKCR\Installer\Dependencies\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"Version" = "14.0.24212.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"NoElevateOnModify" = "1"
"DisplayName" = "Microsoft Visual C 2015 Redistributable (x86) - 14.0.24212;"
"QuietUninstallString" = "C:\ProgramData\Package Cache\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\VC_redist.x86.exe /uninstall /quiet"
"EstimatedSize" = "21246"
"BundleTag" = "Type: REG_SZ, Length: 0"
"Publisher" = "Microsoft Corporation"

[HKCR\Installer\Dependencies\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"DisplayName" = "Microsoft Visual C 2015 Redistributable (x86) - 14.0.24212"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"DisplayIcon" = "C:\ProgramData\Package Cache\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\VC_redist.x86.exe,0"
"BundleResumeCommandLine" = " /quiet /norestart /burn.log.append C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20180618173208.log /install"
"DisplayVersion" = "14.0.24212.0"
"ModifyPath" = "C:\ProgramData\Package Cache\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\VC_redist.x86.exe /modify"
"BundleAddonCode" = "Type: REG_MULTI_SZ, Length: 0"

"BundlePatchCode" = "Type: REG_MULTI_SZ, Length: 0"
"BundleVersion" = "14.0.24212.0"
"BundleUpgradeCode" = "{F899BAD3-98ED-308E-A905-56B5338963FF}"
"Resume" = "1"
"BundleDetectCode" = "Type: REG_MULTI_SZ, Length: 0"

[HKCR\Installer\Dependencies\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"(Default)" = "{462f63a8-6347-4894-a1b3-dbfe3a4c981d}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"BundleProviderKey" = "{462f63a8-6347-4894-a1b3-dbfe3a4c981d}"
"EngineVersion" = "3.7.3813.0"
"BundleCachePath" = "C:\ProgramData\Package Cache\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\VC_redist.x86.exe"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"{462f63a8-6347-4894-a1b3-dbfe3a4c981d}" = "C:\ProgramData\Package Cache\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\VC_redist.x86.exe /burn.runonce"

The Trojan deletes the following value(s) in system registry:

[HKCR\Installer\Dependencies\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\Dependents\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"MinVersion"

[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"MaxVersion"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"BundleResumeCommandLine"

[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"MaxVersion"

[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"MinVersion"

[HKCR\Installer\Dependencies\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\Dependents\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"MaxVersion"

[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}]
"MinVersion"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"{462f63a8-6347-4894-a1b3-dbfe3a4c981d}"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: GOG Sp. z o.o.
Product Name: Real Myst Masterpiece Edition
Product Version: 1.0.0.0
Legal Copyright: (C) GOG Sp. z o.o. 2018
Legal Trademarks:
Original Filename: GalaxyWebinstaller.exe
Internal Name: GalaxyWebinstaller.exe
File Version: 1.0.0.0
File Description: Real Myst Masterpiece Edition
Comments:
Language: English (United Kingdom)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh/sBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o+tuynXIiEOLckvPvJE=
hxxp://tools.l.google.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe
hxxp://r5.sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529331714&mv=u&pcm2cms=yes&pl=24&shardbypass=yes
hxxp://cs9.wac.phicdn.net/DigiCertGlobalRootCA.crl
hxxp://rvip1.ue.cachefly.net/DigiCertGlobalRootCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	77.222.148.96
hxxp://crl3.digicert.com/DigiCertGlobalRootCA.crl	93.184.220.29
hxxp://r5---sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529331714&mv=u&pcm2cms=yes&pl=24&shardbypass=yes	80.91.179.80
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	77.222.148.96
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh/sBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o+tuynXIiEOLckvPvJE=	93.184.220.29
hxxp://crl4.digicert.com/DigiCertGlobalRootCA.crl	66.225.197.197
hxxp://redirector.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe	172.217.18.174
cdn.gog.com	192.229.220.97
tools.google.com	172.217.18.174

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   GoogleUpdate.exe:3584
   GoogleUpdate.exe:2592
   GalaxyInstaller.exe:3832
   %original file name%.exe:3412
   GalaxySetup.tmp:744
   wusa.exe:2440
   vcredist_x86_2015.exe:568
   vcredist_x86_2015.exe:1736
   vs2015-redist-x64.exe:3528
   GalaxySetup.exe:1872
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\ProgramData\GOG.com\Galaxy\logs\InstallerWebinstaller.log (751 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GalaxyInstaller\GalaxySetup.exe (6362246 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 (434 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C (372 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DB145CFEEC544B1582FED1ADA3370DD (320 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DB145CFEEC544B1582FED1ADA3370DD (531 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\1.0[1].0 (729 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar255B.tmp (2712 bytes)
   C:\ProgramData\GOG.com\Galaxy\logs\InstallerBootstrapper.log (5278 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 (471 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab255A.tmp (53 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GalaxyInstaller\GalaxyInstaller.exe (61 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GalaxyInstaller\remoteconfig.json (729 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C (531 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GalaxyInstaller\icon.ico (4210 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-RUC54.tmp (15 bytes)
   %Program Files%\GOG Galaxy\is-VO01K.tmp (3073 bytes)
   %Program Files%\GOG Galaxy\web\images\gwentBanner\is-9H0L2.tmp (601 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\js\is-R57NG.tmp (6841 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-8VM2P.tmp (1 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-M5FBM.tmp (9605 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\es-MX\is-RHEDD.tmp (56 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-1Q746.tmp (37 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-R7MT9.tmp (1425 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-DCPO9.tmp (2 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-8SLP8.tmp (44 bytes)
   %Program Files%\GOG Galaxy\web\scripts\is-78RP5.tmp (1281 bytes)
   %Program Files%\GOG Galaxy\web\locales\es-ES\is-EQHNL.tmp (56 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-IRLCE.tmp (39 bytes)
   %Program Files%\GOG Galaxy\unins000.dat (23634 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-D3CI0.tmp (3073 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-VOEAC.tmp (38 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\fr-FR\is-HIVD8.tmp (1 bytes)
   %Program Files%\GOG Galaxy\is-S8PKF.tmp (1425 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-7UPVL.tmp (52 bytes)
   %Program Files%\GOG Galaxy\web\is-H921P.tmp (909 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-OPJ8V.tmp (7971 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-IKVOP.tmp (13122 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-7NPH7.tmp (59 bytes)
   %Program Files%\GOG Galaxy\web\locales\es-MX\is-EKUA6.tmp (56 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com\GOG Galaxy\GOG Galaxy.lnk (1 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\pt-BR\is-CQFO1.tmp (981 bytes)
   %Program Files%\GOG Galaxy\platforms\is-4MMFU.tmp (7385 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-H7S3A.tmp (26 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-R4HAA.tmp (114989 bytes)
   C:\Windows\Fonts\is-8JARL.tmp (4185 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-LBUP5.tmp\botva2.dll (64 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\pt-PT\is-8SJ09.tmp (54 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-ELDPT.tmp (61370 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\ja-JP\is-T0L5C.tmp (60 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-5FFO5.tmp (58 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-LTLKU.tmp (51 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-HTN8S.tmp (39 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-8JP2R.tmp (601 bytes)
   %Program Files%\GOG Galaxy\web\styles\client\is-S9BIL.tmp (20 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-KA6JD.tmp (7433 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-JFSGB.tmp (3 bytes)
   %Program Files%\GOG Galaxy\web\images\gwentLogo\is-33D0R.tmp (21 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-P1OEL.tmp (1425 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-MFFVN.tmp (1281 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-LM3RM.tmp (517726 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-RJOIS.tmp (39 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\js\is-4LNET.tmp (3073 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-IBVA5.tmp (601 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-6RPRH.tmp (59 bytes)
   C:\Windows\Fonts\is-99NB0.tmp (4185 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-ETCND.tmp (13 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-9GC8E.tmp (2 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-33CHM.tmp (76782 bytes)
   %Program Files%\GOG Galaxy\web\styles\client\is-ABOVH.tmp (48 bytes)
   %Program Files%\GOG Galaxy\web\scripts\is-6HR7S.tmp (2321 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-70LL1.tmp (601 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-VA64H.tmp (2 bytes)
   %Program Files%\GOG Galaxy\web\audio\is-C71U3.tmp (4185 bytes)
   %Program Files%\GOG Galaxy\is-C62G8.tmp (13122 bytes)
   %Program Files%\GOG Galaxy\locales\is-G21KO.tmp (1281 bytes)
   C:\Windows\Fonts\is-L4ASO.tmp (4185 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-RFQ3I.tmp (2 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-4OHVM.tmp (1281 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-P9QC0.tmp (39 bytes)
   %Program Files%\GOG Galaxy\is-0TDCO.tmp (2321 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-JT8IJ.tmp (176 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-S9DGI.tmp (1281 bytes)
   %Program Files%\GOG Galaxy\is-HMC0O.tmp (2105 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-BVCMS.tmp (26 bytes)
   %Program Files%\GOG Galaxy\web\scripts\is-2M131.tmp (63 bytes)
   %Program Files%\GOG Galaxy\web\scripts\is-BKBMD.tmp (601 bytes)
   %Program Files%\GOG Galaxy\is-L8MRA.tmp (33350 bytes)
   %Program Files%\GOG Galaxy\web\scripts\is-5CTK6.tmp (601 bytes)
   %Program Files%\GOG Galaxy\web\locales\fr-FR\is-C9MG6.tmp (59 bytes)
   %Program Files%\GOG Galaxy\web\fonts\is-2U4IT.tmp (4185 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-AM0LM.tmp (46 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-VJIM1.tmp (1281 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-FUNEP.tmp (4545 bytes)
   %Program Files%\GOG Galaxy\is-QI6PF.tmp (30812 bytes)
   %Program Files%\GOG Galaxy\locales\is-88PVE.tmp (1281 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-MVD9G.tmp (40 bytes)
   %Program Files%\GOG Galaxy\is-DE8HA.tmp (4545 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\it-IT\is-04644.tmp (55 bytes)
   %Program Files%\GOG Galaxy\locales\is-M38SK.tmp (673 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\ru-RU\is-T52QN.tmp (1 bytes)
   %Program Files%\GOG Galaxy\web\locales\en-US\is-KREOP.tmp (54 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-9L42N.tmp (2 bytes)
   C:\Windows\Fonts\is-IFKS0.tmp (4185 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-C911P.tmp (13 bytes)
   %Program Files%\GOG Galaxy\web\locales\pl-PL\is-7HKMB.tmp (57 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\fr-FR\is-KL4FN.tmp (59 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-12QAB.tmp (1281 bytes)
   %Program Files%\GOG Galaxy\web\scripts\is-CVD1T.tmp (2 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-84JFA.tmp (57 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-18\is-5TU2S.tmp (110924 bytes)
   %Program Files%\GOG Galaxy\web\locales\ja-JP\is-VBIOB.tmp (924 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-FRT8U.tmp (9605 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-187O0.tmp (1281 bytes)
   %Program Files%\GOG Galaxy\web\locales\es-MX\is-O8DJQ.tmp (916 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-P2KQM.tmp (50 bytes)
   %Program Files%\GOG Galaxy\web\locales\zh-Hant\is-RIIPS.tmp (54 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\en-US\is-D3FMH.tmp (54 bytes)
   %Program Files%\GOG Galaxy\web\fonts\is-2K8KR.tmp (4185 bytes)
   %Program Files%\GOG Galaxy\is-UI57V.tmp (4545 bytes)
   %Program Files%\GOG Galaxy\licences\Boost C Libraries\is-A65VS.tmp (1 bytes)
   %Program Files%\GOG Galaxy\is-QV0JU.tmp (1425 bytes)
   %Program Files%\GOG Galaxy\web\images\gogGalaxyLogo\is-NO04O.tmp (17 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-Q198Q.tmp (38 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-15\is-94UMK.tmp (82840 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\pl-PL\is-9E927.tmp (57 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-1UPTB.tmp (22 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-Q8PIR.tmp (41 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-R4G6L.tmp (26 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-9QBUT.tmp (37 bytes)
   C:\Windows\Fonts\is-6JQML.tmp (4185 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-1K03T.tmp (1425 bytes)
   %Program Files%\GOG Galaxy\is-CAMFS.tmp (7971 bytes)
   %Program Files%\GOG Galaxy\web\is-S4DVE.tmp (1425 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-5CSC3.tmp (39 bytes)
   %Program Files%\GOG Galaxy\web\audio\is-U3BMB.tmp (601 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-HPCF6.tmp (39 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-TU2QD.tmp (10 bytes)
   %Program Files%\GOG Galaxy\web\is-KHJLI.tmp (1 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-8GGV7.tmp (54 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-LBUP5.tmp\vcredist_x86_2015.exe (108599 bytes)
   %Program Files%\GOG Galaxy\unins000.msg (654 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-QHNQP.tmp (2 bytes)
   %Program Files%\GOG Galaxy\is-KSVHJ.tmp (4545 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-837K2.tmp (50 bytes)
   %Program Files%\GOG Galaxy\web\is-CTNU2.tmp (14 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-BISQ7.tmp (59 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-GA1A1.tmp (3361 bytes)
   %Program Files%\GOG Galaxy\is-Q7ODU.tmp (601 bytes)
   %Program Files%\GOG Galaxy\web\scripts\is-EEU5A.tmp (28 bytes)
   %Program Files%\GOG Galaxy\is-3NUN2.tmp (1281 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-QRO7U.tmp (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-LBUP5.tmp\innocallback.dll (65 bytes)
   %Program Files%\GOG Galaxy\licences\LatoWeb Font\is-N7NF3.tmp (4 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-V5EGS.tmp (22575 bytes)
   %Program Files%\GOG Galaxy\web\is-6K6QJ.tmp (37 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\pl-PL\is-7GTTF.tmp (1 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-71NS2.tmp (35 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-V1GEK.tmp (14 bytes)
   %Program Files%\GOG Galaxy\web\locales\it-IT\is-JDQ5Q.tmp (55 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-A4TOQ.tmp (35 bytes)
   %Program Files%\GOG Galaxy\web\images\gogGalaxyLogo\is-CLHSH.tmp (4 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-7C0AN.tmp (3073 bytes)
   %Program Files%\GOG Galaxy\web\styles\client\is-G2S02.tmp (673 bytes)
   %Program Files%\GOG Galaxy\locales\is-H3N24.tmp (1281 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-0Q7VI.tmp (2 bytes)
   %Program Files%\GOG Galaxy\web\images\gogGalaxyLogo\is-F44CS.tmp (10 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-6I2E5.tmp (53 bytes)
   %Program Files%\GOG Galaxy\is-01R46.tmp (38249 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-DAFTO.tmp (2321 bytes)
   %Program Files%\GOG Galaxy\web\scripts\is-020J9.tmp (21 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-LO0T4.tmp (49 bytes)
   %Program Files%\GOG Galaxy\web\images\gwentBanner\is-0D1GB.tmp (673 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-KL6KQ.tmp (673 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\zh-Hans\is-7BRGN.tmp (54 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-CKCE2.tmp (2321 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-7SDPF.tmp (39 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-1K4L6.tmp (2 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-2II99.tmp (673 bytes)
   %Program Files%\GOG Galaxy\locales\is-L7E4J.tmp (1281 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-76D1O.tmp (2 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-QT67A.tmp (601 bytes)
   %Program Files%\GOG Galaxy\web\locales\pl-PL\is-371IV.tmp (1 bytes)
   %Program Files%\GOG Galaxy\is-IAQLK.tmp (601 bytes)
   %Program Files%\GOG Galaxy\web\styles\overlay\is-G2JG9.tmp (601 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-2D61S.tmp (23062 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-LBUP5.tmp\_isetup\_isdecmp.dll (48 bytes)
   %Program Files%\GOG Galaxy\is-R6G78.tmp (34583 bytes)
   %Program Files%\GOG Galaxy\is-ECG7S.tmp (5873 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\zh-Hant\is-FJQER.tmp (54 bytes)
   %Program Files%\GOG Galaxy\web\images\gwentLogo\is-PMBFU.tmp (7 bytes)
   %Program Files%\GOG Galaxy\is-PR68G.tmp (2321 bytes)
   C:\Users\Public\Desktop\GOG Galaxy.lnk (999 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-JIJRT.tmp (673 bytes)
   %Program Files%\GOG Galaxy\web\images\gogGalaxyLogo\is-8KOVQ.tmp (7 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\de-DE\is-6704P.tmp (57 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-76JCE.tmp (2 bytes)
   %Program Files%\GOG Galaxy\web\is-AM1JJ.tmp (8 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-NSFB7.tmp (39 bytes)
   %Program Files%\GOG Galaxy\locales\is-UI5LQ.tmp (1281 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-K56D5.tmp (59 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-581M2.tmp (673 bytes)
   %Program Files%\GOG Galaxy\is-EAF21.tmp (1425 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-E30BI.tmp (37 bytes)
   %Program Files%\GOG Galaxy\web\locales\ru-RU\is-R1SQR.tmp (601 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-LH1DO.tmp (33350 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-07EDC.tmp (1281 bytes)
   %Program Files%\GOG Galaxy\locales\is-UKBV9.tmp (1281 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-TOABH.tmp (13 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-FDHSF.tmp (5 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-N9CMU.tmp (35505 bytes)
   %Program Files%\GOG Galaxy\is-TSJ6B.tmp (601 bytes)
   %Program Files%\GOG Galaxy\web\locales\ja-JP\is-H549C.tmp (60 bytes)
   C:\Windows\Fonts\is-DP3Q8.tmp (4185 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-S14ET.tmp (38 bytes)
   %Program Files%\GOG Galaxy\web\locales\en-US\is-47SLT.tmp (916 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-18\is-8U9UO.tmp (85228 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-3OCQN.tmp (4 bytes)
   %Program Files%\GOG Galaxy\web\styles\client\is-7JINM.tmp (40 bytes)
   C:\Windows\Fonts\is-LLC7F.tmp (4185 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-G7HB4.tmp (44 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-UASEI.tmp (13 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-JBAIQ.tmp (601 bytes)
   %Program Files%\GOG Galaxy\web\locales\pt-BR\is-LOMN8.tmp (57 bytes)
   %Program Files%\GOG Galaxy\web\is-RJO8R.tmp (601 bytes)
   %Program Files%\GOG Galaxy\is-E4SJN.tmp (3361 bytes)
   %Program Files%\GOG Galaxy\web\locales\de-DE\is-234K0.tmp (57 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-OLC3A.tmp (15 bytes)
   %Program Files%\GOG Galaxy\web\scripts\is-5U3FD.tmp (601 bytes)
   %Program Files%\GOG Galaxy\web\locales\zh-Hans\is-GK4G7.tmp (54 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-SKS8N.tmp (10 bytes)
   %Program Files%\GOG Galaxy\is-0MJIQ.tmp (7726 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-GCR0H.tmp (6841 bytes)
   %Program Files%\GOG Galaxy\web\scripts\is-ONLL3.tmp (4185 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-24KQ7.tmp (2321 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-68B77.tmp (8657 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-FV1PJ.tmp (59 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-5S66G.tmp (49 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-GM7VA.tmp (673 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-04DA8.tmp (57 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-UG91F.tmp (54 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-II4OA.tmp (11 bytes)
   %Program Files%\GOG Galaxy\locales\is-3INNB.tmp (673 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-8UL9A.tmp (673 bytes)
   %Program Files%\GOG Galaxy\licences\POCO C Libraries\is-22DK1.tmp (1 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\en-US\is-12NCS.tmp (916 bytes)
   %Program Files%\GOG Galaxy\licences\Chromium Embedded Framework\is-RIUOI.tmp (1 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-G33H8.tmp (1 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-IRM9J.tmp (2321 bytes)
   %Program Files%\GOG Galaxy\is-7JBNG.tmp (7433 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\pt-PT\is-9O0IP.tmp (916 bytes)
   %Program Files%\GOG Galaxy\is-87DPG.tmp (9605 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\ru-RU\is-F6UTI.tmp (601 bytes)
   %Program Files%\GOG Galaxy\web\audio\is-TBIAK.tmp (2105 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-VEMCQ.tmp (2 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-B2K4C.tmp (47 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-BFNJA.tmp (51 bytes)
   %Program Files%\GOG Galaxy\is-O8LJ4.tmp (15116 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-17\is-R32TV.tmp (86230 bytes)
   %Program Files%\GOG Galaxy\web\images\gwentLogo\is-6E9II.tmp (20 bytes)
   %Program Files%\GOG Galaxy\web\scripts\is-IA5TI.tmp (59 bytes)
   %Program Files%\GOG Galaxy\imageformats\is-BQOEB.tmp (1281 bytes)
   %Program Files%\GOG Galaxy\is-5THVN.tmp (76782 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-GGHSO.tmp (2321 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\css\is-NAMA2.tmp (57 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-UO22F.tmp (40 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-R7ANV.tmp (60 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-BNL5P.tmp (4545 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-VB4ES.tmp (1281 bytes)
   %Program Files%\GOG Galaxy\web\audio\is-UH8NR.tmp (2105 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-JD8TR.tmp (22 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-17\is-UMV3I.tmp (112480 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-15\is-O0K3S.tmp (125140 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-M7F32.tmp (39 bytes)
   %Program Files%\GOG Galaxy\web\images\gwentBanner\is-JBP07.tmp (1281 bytes)
   %Program Files%\GOG Galaxy\is-28QJK.tmp (673 bytes)
   %Program Files%\GOG Galaxy\web\locales\pt-BR\is-PFFMT.tmp (981 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-5R569.tmp (3 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-16\is-5L5P8.tmp (85696 bytes)
   %Program Files%\GOG Galaxy\is-BBKCC.tmp (1425 bytes)
   %Program Files%\GOG Galaxy\web\locales\pt-PT\is-CC18G.tmp (54 bytes)
   %Program Files%\GOG Galaxy\licences\JsonCPP\is-44A19.tmp (2 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-P0HV4.tmp (13 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-H292O.tmp (42 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-BDTAI.tmp (45 bytes)
   %Program Files%\GOG Galaxy\is-74VLL.tmp (9605 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-04JC7.tmp (58 bytes)
   %Program Files%\GOG Galaxy\licences\Apache\is-JSFDC.tmp (9 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-0I73C.tmp (601 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-EGQJU.tmp (14 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-8HLL1.tmp (48 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\de-DE\is-J05GH.tmp (996 bytes)
   %Program Files%\GOG Galaxy\licences\zlib\is-4V222.tmp (5 bytes)
   %Program Files%\GOG Galaxy\web\styles\client\is-IF6H1.tmp (51 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-3C3I9.tmp (601 bytes)
   %Program Files%\GOG Galaxy\licences\QT Libraries\is-R6C7Q.tmp (27 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-FG1IU.tmp (601 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-8A09T.tmp (7726 bytes)
   %Program Files%\GOG Galaxy\web\styles\components\findFriendsWindow\is-Q3899.tmp (24 bytes)
   %Program Files%\GOG Galaxy\is-GU4OV.tmp (51303 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-TJJPE.tmp (26096 bytes)
   %Program Files%\GOG Galaxy\is-419DU.tmp (2321 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-N14J6.tmp (50 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-OOP2B.tmp (52 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-18AOQ.tmp (2321 bytes)
   %Program Files%\GOG Galaxy\licences\libcurl\is-S2BVE.tmp (1 bytes)
   %Program Files%\GOG Galaxy\is-GIQ01.tmp (517726 bytes)
   %Program Files%\GOG Galaxy\web\styles\client\is-BOBIL.tmp (45 bytes)
   %Program Files%\GOG Galaxy\licences\OpenSSL\is-VAH9A.tmp (6 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\it-IT\is-LHG6P.tmp (916 bytes)
   %Program Files%\GOG Galaxy\web\fonts\is-LB5S1.tmp (4185 bytes)
   %Program Files%\GOG Galaxy\web\fonts\is-PLKN9.tmp (4185 bytes)
   %Program Files%\GOG Galaxy\web\is-DIKMK.tmp (1 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-HPKGF.tmp (22 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-JIHHI.tmp (2 bytes)
   %Program Files%\GOG Galaxy\is-CAOMK.tmp (601 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-1AO3I.tmp (45 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-0K71S.tmp (14 bytes)
   %Program Files%\GOG Galaxy\web\is-1UMI2.tmp (1 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-U554V.tmp (31 bytes)
   %Program Files%\GOG Galaxy\web\locales\ru-RU\is-31C3R.tmp (1 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-R29GO.tmp (1425 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-NCO68.tmp (48 bytes)
   %Program Files%\GOG Galaxy\web\locales\zh-Hans\is-G42A9.tmp (909 bytes)
   %Program Files%\GOG Galaxy\is-19HQU.tmp (22575 bytes)
   %Program Files%\GOG Galaxy\is-R20EK.tmp (31786 bytes)
   %Program Files%\GOG Galaxy\web\locales\de-DE\is-KPB0D.tmp (996 bytes)
   %Program Files%\GOG Galaxy\web\styles\common\is-MLA24.tmp (595 bytes)
   %Program Files%\GOG Galaxy\web\images\gwentBanner\is-0E8HQ.tmp (26 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-PUGNQ.tmp (1 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-N96G6.tmp (45 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-AUGNL.tmp (14 bytes)
   %Program Files%\GOG Galaxy\web\audio\is-S8V8J.tmp (1425 bytes)
   %Program Files%\GOG Galaxy\is-T0L4B.tmp (3073 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\ko-KR\is-RF5FD.tmp (54 bytes)
   %Program Files%\GOG Galaxy\web\locales\pt-PT\is-8B80M.tmp (916 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-I8JNT.tmp (2105 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-ER4V9.tmp (14 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-94LL9.tmp (39 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-OLD4B.tmp (601 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\ja-JP\is-84IKG.tmp (924 bytes)
   %Program Files%\GOG Galaxy\is-5M57H.tmp (673 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-DSK9B.tmp (14 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\pt-BR\is-B6SO1.tmp (57 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-KEN5M.tmp (39 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-RGCD7.tmp (44 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\is-MBDI3.tmp (673 bytes)
   %Program Files%\GOG Galaxy\web\images\gwentBanner\is-R6CSK.tmp (54 bytes)
   %Program Files%\GOG Galaxy\web\angularLocales\is-AB1LA.tmp (2 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-ANRT4.tmp (601 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\zh-Hans\is-UAOK1.tmp (909 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-SKJT2.tmp (39 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-KQENL.tmp (42 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\is-SCPVT.tmp (30812 bytes)
   %Program Files%\GOG Galaxy\web\images\gwentLogo\is-71KTF.tmp (16 bytes)
   %Program Files%\GOG Galaxy\web\locales\it-IT\is-U0KL1.tmp (916 bytes)
   C:\Windows\Fonts\is-MM1CU.tmp (4185 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\es-MX\is-OT028.tmp (916 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\peer\msvc-16\is-8A74G.tmp (114298 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-K8KJV.tmp (1 bytes)
   %Program Files%\GOG Galaxy\locales\is-EDUMM.tmp (1281 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-JLI41.tmp (39 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-UOTDF.tmp (13 bytes)
   %Program Files%\GOG Galaxy\web\locales\es-ES\is-RMGHM.tmp (916 bytes)
   C:\ProgramData\GOG.com\Galaxy\changelogs\is-FR5S0.tmp (2 bytes)
   %Program Files%\GOG Galaxy\web\scripts\is-5VPA1.tmp (23 bytes)
   %Program Files%\GOG Galaxy\web\locales\fr-FR\is-H3ORE.tmp (1 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-VEVDP.tmp (1281 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-1UEPS.tmp (56 bytes)
   %Program Files%\GOG Galaxy\is-MLSAT.tmp (6841 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2018-06-18 #001.txt (2865136 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\locales\is-SIBMA.tmp (1281 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\es-ES\is-D8DLO.tmp (56 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-BTM6O.tmp (2321 bytes)
   %Program Files%\GOG Galaxy\is-QQT9A.tmp (26096 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-LDUAD.tmp (601 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\overlay\injected\is-U63UE.tmp (59 bytes)
   C:\ProgramData\GOG.com\Galaxy\redists\web\locales\es-ES\is-GLK0G.tmp (916 bytes)
   %Program Files%\GOG Galaxy\web\microserviceMenu\img\is-BEFOO.tmp (13 bytes)
   %Program Files%\GOG Galaxy\web\locales\ko-KR\is-CD4HF.tmp (54 bytes)
   %Program Files%\GOG Galaxy\is-IT07T.tmp (7547 bytes)
   %Program Files%\GOG Galaxy\web\scripts\is-AVTI7.tmp (2105 bytes)
   C:\Windows\WindowsUpdate.log (13709 bytes)
   C:\989f8654a2a9bdd87e\$dpx$.tmp\de0df680e990594d8bff4484efdf984b.tmp (468 bytes)
   C:\989f8654a2a9bdd87e\$dpx$.tmp\27d9f57d6d77e84d879ace4bf2d00ce6.tmp (2552 bytes)
   C:\Windows\Logs\DPX\setupact.log (3028 bytes)
   C:\989f8654a2a9bdd87e\$dpx$.tmp\476e18042842f849bfd39dd8de4e7dc8.tmp (6722 bytes)
   C:\989f8654a2a9bdd87e\$dpx$.tmp\a25f4146e9855344b6c4b2c88ab51598.tmp (444 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab91B3.tmp (53 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F90F18257CBB4D84216AC1E1F3BB2C76 (550 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar91B4.tmp (2712 bytes)
   C:\ProgramData\Package Cache\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\state.rsm (1808 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (732 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21 (554 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20180618173208_001_vcRuntimeAdditional_x86.log (127738 bytes)
   C:\ProgramData\Package Cache\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\VC_redist.x86.exe (5873 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76 (756 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (781 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21 (912 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20180618173208_000_vcRuntimeMinimum_x86.log (126936 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1029\license.rtf (3284 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\cab54A5CABBE7274D8A22EB58060AAB7623 (16944 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1055\license.rtf (2663 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1046\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1041\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\thm.xml (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\vcRuntimeMinimum_x86 (1712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\license.rtf (2722 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\2052\license.rtf (2591 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\2052\thm.wxl (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1042\license.rtf (7601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1028\thm.wxl (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1040\license.rtf (2201 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1031\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1040\thm.wxl (577 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20180618173208.log (51040 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1028\license.rtf (2682 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1045\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\thm.wxl (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\BootstrapperApplicationData.xml (897 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\Windows7_MSU_x86 (10528 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1036\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\wixstdba.dll (2210 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.be\VC_redist.x86.exe (106328 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1055\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1031\license.rtf (2050 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\3082\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1049\license.rtf (4025 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1029\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\3082\license.rtf (2303 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1042\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\vcRuntimeAdditional_x86 (2160 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1036\license.rtf (2922 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1045\license.rtf (2597 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\logo.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1046\license.rtf (2124 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1041\license.rtf (3662 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\cabB3E1576D1FEFBB979E13B1A5379E0B16 (76515 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\.ba1\1049\thm.wxl (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1031\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1055\license.rtf (2263 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\wixstdba.dll (1890 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1055\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1031\license.rtf (1730 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\logo.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1040\license.rtf (1881 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\thm.xml (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\thm.wxl (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\3082\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\2052\thm.wxl (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1040\thm.wxl (497 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1029\license.rtf (2804 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\BootstrapperApplicationData.xml (817 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1042\license.rtf (7401 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1046\license.rtf (1804 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1045\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1042\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1041\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1046\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1036\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1045\license.rtf (2197 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1029\thm.wxl (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1049\thm.wxl (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_amd64_20180618173253.log (21751 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1036\license.rtf (2522 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1028\license.rtf (2202 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1028\thm.wxl (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\2052\license.rtf (3031 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1049\license.rtf (3465 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\license.rtf (2322 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\1041\license.rtf (4022 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{323dad84-0974-4d90-a1c1-e006c7fdbb7d}\.ba1\3082\license.rtf (1983 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-1D2BU.tmp\GalaxySetup.tmp (50 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "GalaxyClient" = ""
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "{462f63a8-6347-4894-a1b3-dbfe3a4c981d}" = "C:\ProgramData\Package Cache\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}\VC_redist.x86.exe /burn.runonce"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.