So, I've been running some analysis on the game (microsoft defender, karsperski, malwarebytes, virustotal), since it's the first time I use gog as a gaming platform, and I've found some suspicious activity that doesn't make sense to me.

For one, the game contacts several IPs, which is weird for a single player game with no network capabilities, but I understand it has to do with the wrapper and MIGHT be the game looking for updates, if it does such thing.

However what bugs me the most is that the game executes a very suspicious shell command, from a very suspicious location, and then deletes the .exe and all the related folders, leaving no traces.

"C:\Program Files\Google2448_1730576184\bin\updater.exe" --update --system --enable-logging --vmodule=*/chrome/updater/*=2 /sessionid {97E91C7F-B080-4B0D-9776-1F7B45592C07}

This is highly suspicious, as it is common malware behaviour to execute .exes with similar names from supposedly legit locations, so I wanted to know what is it exactly that this updater.exe does.

This is the hash of the exe, since I cannot post the virustotal link for whatever reason:
c1cffaeb8827ca373b8200dae554cbd05a1feb73b153e97ae462c6e7475fef3e

I have the game installed in a Window 7 system that has the ethernet card disable, so it's completely offline. I have not seen anything like what you described. Not once has it tried to phone home since I have no internet connection on this SSD.

Are you sure it's the game and not some other program that's triggering this?
.

This looks to me like the updater task from Google's Chrome Browser. I do consider that application spyware but it is not related to the game at all.

I'm not completely sure, since the only evidence I have of the internet connections and the weird processes is the Virustotal report.

After posting this I monitored it's activity with procmon, but I couldn't find any trace of this "updater.exe" nor anything close to it. Furthermore, the only sandbox that says anything about this shady google updater is the Microsoft Sysinternals one, which leads me to think it's doing weird things on its own and then flagging it as the executable's fault, maybe? Idk, I dont have chrome installed.

The next thing I can do is analyze the packets sent with Wireshark, but that might take a while.

To add a bit of context, I scanned both the offline installer and the game files with Karspersky, Malwarebites and Microsoft Defender, and the installer comes clean on virustotal, so in the case this had malware on it it would most likely come with the offline installer, not the game executable. The signatures are legitimate, and I double cheched that I downloaded the installer from the real gog page.

The only "flag" I have is the virustotal report, and, since I dont have any idea of how it analyzes files, I don't know where these IP connections come from.

Google's updater is annoying. I turned them off to do it manually and it still runs in the background at random times (on Windows 10; my Windows 7 is offline ofc).

It used to be some 32-bit files, but sometime this year it changed to 64-bit files in task manager. Fortunately it doesn't do it too often, but still a bit annoying.

It feels like we have less and less control over out own computers these days lol. (probably not true, but just feels like it when this stuff happens)
.

Ok, so, after some more research and monitoring, I think I know what is happening.

Since I cannot upload the entire game folder, I uploaded the .exe file, which crashed when the sandboxes tried to open it, most likely. Then, windows error reporting and google crashpad activated for telemetry reports (thus why all the dropped files correspond to WER, google and such, same as the executed processess, and the IPs are all Microsoft IPs used for telemetry, or similar).

I have opened the game with wireshark running and I couldn't find any weird connections nor any of the connections listed by virustotal, so yeah, everything kinda makes sense now.