5d1ce2f3137500d2b9294456180e9bf70d6dbae97c8146d10e48522e64119926

Analysis

max time kernel
73s
max time network
75s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GearUP-1.34.1-nakol63.exe
Size

57.4MB
MD5

2a4f83c0c4ed0e0df9595c590e5c6361
SHA1

145ee18fe5518bd12775b3c660b6acc72c1081e4
SHA256

5d1ce2f3137500d2b9294456180e9bf70d6dbae97c8146d10e48522e64119926
SHA512

40ddaa7bf9a8db7f0cce346087a47e3f675ddcfd5732a9472a0be91c540198cfa26a46eab63aff34d751fc6b10cdb754d00da816131d652a09319cb26aff581b
SSDEEP

1572864:pEMNWfnJJiialMGzoOFy6N9yD+ocqfD0Oly2mXBx4:XY/JfalHsst93smxS

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\hostpacket.sys	GearUP-1.34.1-nakol63.exe
File created	C:\Windows\System32\drivers\hostpacket.sys	GearUP-1.34.1-nakol63.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	gearup_booster.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\de.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\it.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\host_dp.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\hostfp\32\hostpacket.sys	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\es-419.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\pt-PT.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\tcp_proxy.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\udp_connect_lsp64.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\ws2detour.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\tap_driver\x64\NW_TAP_0921.sys	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\gearup_booster.zip	GearUP-1.34.1-nakol63.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\config.txt	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\tap_driver\i386\nw_tap_0909.cat	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\tap_driver\x64\nw_tap_0921.cat	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\wfp\win\x64\nwwfp.sys	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\fil.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\tap_driver\x64\tap0901.cat	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\tap_driver\i386\NW_TAP_0909.inf	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\browser.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\vcruntime140.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\hr.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\id.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\tap_driver\x64\NW_TAP_0909.inf	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\gearup_booster_render.exe	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\api-ms-win-crt-utility-l1-1-0.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\it.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\7za.exe	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\wfp\win7	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\sw.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\openvpn.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\wfp\win7\x32\nwwfp.sys	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\tap_driver\i386\tap0901.cat	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\crashpad_handler.exe	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\tap_driver\x64\NW_TAP_0921.sys	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\wfp	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\am.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\sv.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\api-ms-win-crt-heap-l1-1-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\tun2proxy.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\hostfp	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\cef_200_percent.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\et.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\nl.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\update.exe	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\sentry.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\ws2detour_x64.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\wfp\win7\x64\nwwfp.sys	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\cef_200_percent.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\tap_driver\arm64\tap0901.cat	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\gearup_booster.exe	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\api-ms-win-crt-convert-l1-1-0.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\api-ms-win-crt-filesystem-l1-1-0.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\wfp\arm64\nwwfp.sys	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\tap_driver\i386\tap0901.cat	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\cef.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\fr.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\ko.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\mr.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\uk.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\msvcp100.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9145\ping.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\udp_connect_lsp.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9145\wfp\arm64	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\lt.pak	7za.exe

Executes dropped EXE 6 IoCs

pid	Process
2584	7za.exe
2856	launcher.exe
2464	gearup_booster.exe
2136	crashpad_handler.exe
1048	gearup_booster_ball.exe
1976	gearup_booster_render.exe

Loads dropped DLL 64 IoCs

pid	Process
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
1368	GearUP-1.34.1-nakol63.exe
2856	launcher.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2464	gearup_booster.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe
2136	crashpad_handler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\gearup_booster.exe = "11000"	GearUP-1.34.1-nakol63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\gearup_booster.exe = "11000"	gearup_booster.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gu	gearup_booster.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\URL Protocol	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\shell\open\command	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\shell	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\shell\open	gearup_booster.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\shell\open\command\ = "C:\\Program Files (x86)\\GearUPBooster\\9145\\gearup_booster.exe \"%1\""	gearup_booster.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2464	gearup_booster.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2584	7za.exe
Token: 35	2584	7za.exe
Token: SeSecurityPrivilege	2584	7za.exe
Token: SeSecurityPrivilege	2584	7za.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1048	gearup_booster_ball.exe
2464	gearup_booster.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1048	gearup_booster_ball.exe
2464	gearup_booster.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2584	1368	GearUP-1.34.1-nakol63.exe	28
PID 1368 wrote to memory of 2584	1368	GearUP-1.34.1-nakol63.exe	28
PID 1368 wrote to memory of 2584	1368	GearUP-1.34.1-nakol63.exe	28
PID 1368 wrote to memory of 2584	1368	GearUP-1.34.1-nakol63.exe	28
PID 1368 wrote to memory of 2564	1368	GearUP-1.34.1-nakol63.exe	30
PID 1368 wrote to memory of 2564	1368	GearUP-1.34.1-nakol63.exe	30
PID 1368 wrote to memory of 2564	1368	GearUP-1.34.1-nakol63.exe	30
PID 1368 wrote to memory of 2564	1368	GearUP-1.34.1-nakol63.exe	30
PID 1368 wrote to memory of 2856	1368	GearUP-1.34.1-nakol63.exe	33
PID 1368 wrote to memory of 2856	1368	GearUP-1.34.1-nakol63.exe	33
PID 1368 wrote to memory of 2856	1368	GearUP-1.34.1-nakol63.exe	33
PID 1368 wrote to memory of 2856	1368	GearUP-1.34.1-nakol63.exe	33
PID 1368 wrote to memory of 2856	1368	GearUP-1.34.1-nakol63.exe	33
PID 1368 wrote to memory of 2856	1368	GearUP-1.34.1-nakol63.exe	33
PID 1368 wrote to memory of 2856	1368	GearUP-1.34.1-nakol63.exe	33
PID 2856 wrote to memory of 2464	2856	launcher.exe	34
PID 2856 wrote to memory of 2464	2856	launcher.exe	34
PID 2856 wrote to memory of 2464	2856	launcher.exe	34
PID 2856 wrote to memory of 2464	2856	launcher.exe	34
PID 2856 wrote to memory of 2464	2856	launcher.exe	34
PID 2856 wrote to memory of 2464	2856	launcher.exe	34
PID 2856 wrote to memory of 2464	2856	launcher.exe	34
PID 2464 wrote to memory of 2136	2464	gearup_booster.exe	35
PID 2464 wrote to memory of 2136	2464	gearup_booster.exe	35
PID 2464 wrote to memory of 2136	2464	gearup_booster.exe	35
PID 2464 wrote to memory of 2136	2464	gearup_booster.exe	35
PID 2464 wrote to memory of 2136	2464	gearup_booster.exe	35
PID 2464 wrote to memory of 2136	2464	gearup_booster.exe	35
PID 2464 wrote to memory of 2136	2464	gearup_booster.exe	35
PID 2464 wrote to memory of 1048	2464	gearup_booster.exe	37
PID 2464 wrote to memory of 1048	2464	gearup_booster.exe	37
PID 2464 wrote to memory of 1048	2464	gearup_booster.exe	37
PID 2464 wrote to memory of 1048	2464	gearup_booster.exe	37
PID 2464 wrote to memory of 1048	2464	gearup_booster.exe	37
PID 2464 wrote to memory of 1048	2464	gearup_booster.exe	37
PID 2464 wrote to memory of 1048	2464	gearup_booster.exe	37
PID 2464 wrote to memory of 1976	2464	gearup_booster.exe	38
PID 2464 wrote to memory of 1976	2464	gearup_booster.exe	38
PID 2464 wrote to memory of 1976	2464	gearup_booster.exe	38
PID 2464 wrote to memory of 1976	2464	gearup_booster.exe	38
PID 2464 wrote to memory of 1976	2464	gearup_booster.exe	38
PID 2464 wrote to memory of 1976	2464	gearup_booster.exe	38
PID 2464 wrote to memory of 1976	2464	gearup_booster.exe	38

C:\Users\Admin\AppData\Local\Temp\GearUP-1.34.1-nakol63.exe
"C:\Users\Admin\AppData\Local\Temp\GearUP-1.34.1-nakol63.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe
  "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe" x "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\gearup_booster.zip" -o"C:\Program Files (x86)\GearUPBooster\" -aoa
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c rd /s /q "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\"
  2⤵
  PID:2564
- C:\Program Files (x86)\GearUPBooster\launcher.exe
  "C:\Program Files (x86)\GearUPBooster\launcher.exe" /install_shortcut 1 /install_autorun 0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Program Files (x86)\GearUPBooster\9145\gearup_booster.exe
    "C:\Program Files (x86)\GearUPBooster\9145\gearup_booster.exe" /install_shortcut 1 /install_autorun 0
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Program Files (x86)\GearUPBooster\9145\crashpad_handler.exe
      "C:\Program Files (x86)\GearUPBooster\9145\crashpad_handler.exe" --no-rate-limit --database=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry --metrics-dir=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry --url=https://sentry.guinfra.com:443/api/30/minidump/?sentry_client=sentry.native/0.5.3&sentry_key=e59bef2d0cf245eaa0d97f08c5eab5fe --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_proxy.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_tun.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_lsp.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\4e1d2aa2-a927-4bcf-8906-390fe93804ff.run\__sentry-event --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\4e1d2aa2-a927-4bcf-8906-390fe93804ff.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\4e1d2aa2-a927-4bcf-8906-390fe93804ff.run\__sentry-breadcrumb2 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x73cf5160,0x73cf5174,0x73cf5184
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2136
  - - C:\Program Files (x86)\GearUPBooster\9145\gearup_booster_ball.exe
      C:\Program Files (x86)\GearUPBooster\9145\gearup_booster_ball.exe /main_form_wnd 786712 /show_flag 0 /pos_x -1 /pos_y -1 /version 9145 /client_id 66034d6ce238270aa8adddbe /gray 0
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1048
  - - C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe
      "C:\Program Files (x86)\GearUPBooster\9145\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --disable-databases --primordial-pipe-token=492530EFBE87F6CB86E43F54CCC18A7D --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9145\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=492530EFBE87F6CB86E43F54CCC18A7D --channel="2464.0.284957498\1661536441" --mojo-platform-channel-handle=2808 /prefetch:1
      4⤵
      Executes dropped EXE
      PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GearUPBooster\9145\MSVCP140.dll

Filesize
432KB

MD5
a6b18a2772631cdd06f95b19d66d2d4f

SHA1
c342250efab725f643e598f49d1710c74f78d022

SHA256
76cc277b564e69e35a0d9c440f013a52b5d25f43ba42fd0099d6fc1f05a6ce16

SHA512
f98e07c1b92ecfc662021e33486b660942de390b8e947126f304adee911da0574d6cac416748f6f03e6cce981737eb694fb3d2bcd80e1e207eba91a44b5f23e5

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\VCRUNTIME140.dll

Filesize
88KB

MD5
81b11024a8ed0c9adfd5fbf6916b133c

SHA1
c87f446d9655ba2f6fddd33014c75dc783941c33

SHA256
eb6a3a491efcc911f9dff457d42fed85c4c170139414470ea951b0dafe352829

SHA512
e4b1c694cb028fa960d750fa6a202bc3a477673b097b2a9e0991219b9891b5f879aa13aa741f73acd41eb23feee58e3dd6032821a23e9090ecd9cc2c3ec826a1

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
3b9d034ca8a0345bc8f248927a86bf22

SHA1
95faf5007daf8ba712a5d17f865f0e7938da662b

SHA256
a7ac7ece5e626c0b4e32c13299e9a44c8c380c8981ce4965cbe4c83759d2f52d

SHA512
04f0830878e0166ffd1220536592d0d7ec8aacd3f04340a8d91df24d728f34fbbd559432e5c35f256d231afe0ae926139d7503107cea09bfd720ad65e19d1cdc

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\api-ms-win-core-synch-l1-2-0.dll

Filesize
18KB

MD5
f6b4d8d403d22eb87a60bf6e4a3e7041

SHA1
b51a63f258b57527549d5331c405eacc77969433

SHA256
25687e95b65d0521f8c737df301bf90db8940e1c0758bb6ea5c217cf7d2f2270

SHA512
1acd8f7bc5d3ae1db46824b3a5548b33e56c9bac81dcd2e7d90fdbd1d3dd76f93cdf4d52a5f316728f92e623f73bc2ccd0bc505a259dff20c1a5a2eb2f12e41b

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\api-ms-win-crt-heap-l1-1-0.dll

Filesize
19KB

MD5
39d81596a7308e978d67ad6fdccdd331

SHA1
a0b2d43dd1c27d8244d11495e16d9f4f889e34c4

SHA256
3d109fd01f6684414d8a1d0d2f5e6c5b4e24de952a0695884744a6cbd44a8ec7

SHA512
0ef6578de4e6ba55eda64691892d114e154d288c419d05d6cff0ef4240118c20a4ce7f4174eec1a33397c6cd0135d13798dc91cc97416351775f9abf60fcae76

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
ae3fa6bf777b0429b825fb6b028f8a48

SHA1
b53dbfdb7c8deaa9a05381f5ac2e596830039838

SHA256
66b86ed0867fe22e80b9b737f3ee428be71f5e98d36f774abbf92e3aaca71bfb

SHA512
1339e7ce01916573e7fdd71e331eeee5e27b1ddd968cadfa6cbc73d58070b9c9f8d9515384af004e5e015bd743c7a629eb0c62a6c0fa420d75b069096c5d1ece

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
24KB

MD5
32d7b95b1bce23db9fbd0578053ba87f

SHA1
7e14a34ac667a087f66d576c65cd6fe6c1dfdd34

SHA256
104a76b41cbd9a945dba43a6ffa8c6de99db2105d4ce93a717729a9bd020f728

SHA512
7dad74a0e3820a8237bab48f4962fe43e5b60b00f003a5de563b4cf61ee206353c9689a639566dc009f41585b54b915ff04f014230f0f38416020e08c8a44cb4

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\api-ms-win-crt-string-l1-1-0.dll

Filesize
24KB

MD5
5e72659b38a2977984bbc23ed274f007

SHA1
ea622d608cc942bdb0fad118c8060b60b2e985c9

SHA256
44a4db6080f6bdae6151f60ae5dc420faa3be50902e88f8f14ad457dec3fe4ea

SHA512
ed3cb656a5f5aee2cc04dd1f25b1390d52f3e85f0c7742ed0d473a117d2ac49e225a0cb324c31747d221617abcd6a9200c16dd840284bb29155726a3aa749bb1

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\gearup_booster.exe

Filesize
7.5MB

MD5
c2573f3643cf344865cefcb9e9ff4e29

SHA1
e3936812e46ebddf028e0ced12da342e475c02ed

SHA256
f54b9f0c693f2ea3cb7a291ade890d2636f251939823851ad58e4eeb8f5b0dc5

SHA512
ad1e9b80743aab5e2b563aad02dfe8bfe607213682d689fd3164da2158d9481cad5adba72c20e54664ac0a55f7dae070984e44b86516e4e3db80d8c0fdfc0282

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\gearup_booster_ball.exe

Filesize
1.4MB

MD5
10a2aca27153c46f983c1e1580b5da3a

SHA1
6026b18bbde9e256bf1a5fb3e6c37a192bfc54bb

SHA256
4b19b261d81e4b177f8c9e9994d133209f4db92a01b2d5796518602ede47833a

SHA512
0b9a7b8b5c6e756767beda6df39a433ccfb8081798a7ef619db8acfad0877c017bdee751da17b2c47fc918cdb6c765b8a1ae5240766319c1f454f21cc00a1d91

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\gearup_booster_vpn.dll

Filesize
33KB

MD5
59bc36bc7e3895171bc49d51921f6cf3

SHA1
99c84852111474b55a9d392bd3780c3b0a3560de

SHA256
95e74362b21479867d499705c6dd33688b31ad73c19d4873143f2582e3d5b0f8

SHA512
2d703d06aae0e0c6a35f64eb8930d9ffe4d3dd2c26f563dfa07b3097d17c560249a11b9ac4d512f301153f7c1ae76a4e65f7bb065d4f736ef998d3e872965ac3

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\hostfp\64\hostpacket.sys

Filesize
37KB

MD5
5ac815ad2f4386140fe4c7eef3b06233

SHA1
6dd0e26f3c447602109253a7eaad59064c4162ca

SHA256
08d86eae497df069ef9e6525e9513a019ff7a9971780c1987fde858d51f4ed66

SHA512
98cf60aceabadc078e00ad1e274028714f7bbf3c86f0522ab423d50231156a2513e8cc1946b242c64af7287648e6d4ba5e630824b4d83134c471689db42fbbf5

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\ping.dll

Filesize
685KB

MD5
052f7e9d0c77d87af8049ae05f3ee8f0

SHA1
a1e205042562866d46d46bdcd5949837343f63e7

SHA256
5347568cf781b40f57c7c1df72bdc253429c83d9b7c5940ea0b6b4a48eca8b0f

SHA512
c3545af0cdd52ba6fa7d7546a2c503851dc039fb919a4e473047ee8e7c3a52b48a07e97afe06fe19e734f5960ab4643a431e1c2fbe492447e5b3fe9b9ca0f086

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\skin.dll

Filesize
6.1MB

MD5
b25a4b556fe6ce978de71f0493abda02

SHA1
7d5ff3f5d5d15287aa320df90c5cd3171c15f2e5

SHA256
7aea7fad94152aa6bcc3602ba24cb816033623ca99cc0fec45f519c42564e437

SHA512
6304ad89738a32e52eb27f2a45ad97cdfc9e7e91b8c9795b1838bfe926e1e015ae6bb17c0f041ce99d03444ba8eed2873155213434a46859fc394b3c262cbbee

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\ucrtbase.DLL

Filesize
879KB

MD5
3e0303f978818e5c944f5485792696fd

SHA1
3b6e3ea9f5a6bbdeda20d68b84e4b51dc48deb1d

SHA256
7041885b2a8300bf12a46510228ce8d103d74e83b1baf696b84ff3e5ab785dd1

SHA512
c2874029bd269e6b9f7000c48d0710c52664c44e91c3086df366c3456b8bce0ed4d7e5bcfe4bdd3d03b11b8245c65f4b848b6dc58e6ea7b1de9b3ca2fb3348bc

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\ui.dll

Filesize
1.1MB

MD5
23b51aca74c680889ea43b8cd67bb9bf

SHA1
3d70ba07f1902214bd86c549a25914ac869060d2

SHA256
b3850157fb67fd675d1e3345361fe3f7376705e856b00ce98434af39d0b7f7ab

SHA512
1a9b4cf85197b8b096ffeb084d1084bbcc3519a524ec4c2d3db403ef7be2a897b996e822f25f15996ef4c012689709ccb7df21f3f902edb033191b06ea591807

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\uninstall.exe

Filesize
2.1MB

MD5
6561111353a491e4ca81d468bcc035d6

SHA1
d2aea9804dcfb7feabaa0a3aca37f05d51ce70a1

SHA256
d9263e6766bb36e481c6206629190746f88a3045ff34eddf1d71fb5726eacb6a

SHA512
1cb225788eec52dbe238d94db9fb02c30a579f482b8b835afea75f21b4dc9bd07d73111faf19ec58127bfe68794393b3e184c7cfd00f6209f07d09833336688c

Download Submit
C:\Program Files (x86)\GearUPBooster\9145\update.exe

Filesize
2.2MB

MD5
cce5afa7b3a53fbc40559f2be661550d

SHA1
0d4e45cdbc076ee67630e84f30354785f828bdad

SHA256
1cf912e6ccb6da446cb9ae22dbd2bee86aa090a7f4a385040d71ddba24c8ba5e

SHA512
e56dd66f8207b14f43fedf345ecf1e3d7052ba32bff4588c7a9da535c647229c85ac8aa398e56e6eb1108114ee9f2e0f28c0ba03c07712c144550c2f95f86b17

Download Submit
C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe

Filesize
1009KB

MD5
561e2e81dc8a2abc5c648cdf5b407099

SHA1
1ac32fc3858032aa6d3c37b4ef8f2b92fe585e2d

SHA256
271dae8bcb2d3f40ab65c3feeed49b9ae2cdd91bfe16230971289e28570c9a7f

SHA512
2601e48ad443b98f8b207265eb8e46e6889c4d656e0f677b4f4d7cbc4fc1b1b031189e382f4d118eef6f4b54cb2d16a8179d2184cd8580d8b928b847a46315a8

Download Submit
C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\gearup_booster.zip

Filesize
36.6MB

MD5
eae2454482c91254cdec6ef98d36334b

SHA1
92859b1791e70a652ab37bf93bbcd0807ea59e47

SHA256
80131d77cc49d3895aebff86ec156e262032c0f57e6a7c3323035de87b1bba32

SHA512
194a39569d7862a1c5ff99bd388cd1374f9776ffd33ea95ee7a31fd97f19dc9791a80e2d9202603ee52ab05c545ac6b9c8eb6ecbdf370b2907ed10aa7dd331f6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GearUP Booster.lnk

Filesize
1KB

MD5
f0a39cc527b257e9c2fee16ed7af7158

SHA1
9d2a179549c8c441f958e77737765bfe13ad712c

SHA256
15cdea19a9ae1feea13e2d63a4401f41f89884499b18468884a7f6a7616adf80

SHA512
3fc2da66f485f21a2a985bb5404ced8532addc8ab17c4b85272c86ad6003e8401037569641697b7359c631759569f1e8e234a574811d10342548e5b42797c23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBD39.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBD5B.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Program Files (x86)\GearUPBooster\9145\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
f6d1216e974fb76585fd350ebdc30648

SHA1
f8f73aa038e49d9fcf3bd05a30dc2e8cbbe54a7c

SHA256
348b70e57ae0329ac40ac3d866b8e896b0b8fef7e8809a09566f33af55d33271

SHA512
756ee21ba895179a5b6836b75aeefb75389b0fe4ae2aaff9ed84f33075094663117133c810ab2e697ec04eaffd54ff03efa3b9344e467a847acea9f732935843

Download Submit
\Program Files (x86)\GearUPBooster\9145\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfb08fb09e8d68673f2f0213c59e2b97

SHA1
e1e5ff4e7dd1c902afbe195d3e9fd2a7d4a539f2

SHA256
6d5881719e9599bf10a4193c8e2ded2a38c10de0ba8904f48c67f2da6e84ed3e

SHA512
e4f33306f3d06ea5c8e539ebdb6926d5f818234f481ff4605a9d5698ae8f2afdf79f194acd0e55ac963383b78bb4c9311ee97f3a188e12fbf2ee13b35d409900

Download Submit
\Program Files (x86)\GearUPBooster\9145\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
18KB

MD5
c2ead5fcce95a04d31810768a3d44d57

SHA1
96e791b4d217b3612b0263e8df2f00009d5af8d8

SHA256
42a9a3d8a4a7c82cb6ec42c62d3a522daa95beb01ecb776aac2bfd4aa1e58d62

SHA512
c90048481d8f0a5eda2eb6e7703b5a064f481bb7d8c78970408b374cb82e89febc2e36633f1f3e28323fb633d6a95aa1050a626cb0cb5ec62e9010491aae91f4

Download Submit
\Program Files (x86)\GearUPBooster\9145\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
a20084f41b3f1c549d6625c790b72268

SHA1
e3669b8d89402a047bfbf9775d18438b0d95437e

SHA256
0fa42237fd1140fd125c6edb728d4c70ad0276c72fa96c2faabf7f429fa7e8f1

SHA512
ddf294a47dd80b3abfb3a0d82bc5f2b510d3734439f5a25da609edbbd9241ed78045114d011925d61c3d80b1ccd0283471b1dad4cf16e2194e9bc22e8abf278f

Download Submit
\Program Files (x86)\GearUPBooster\9145\sentry.dll

Filesize
426KB

MD5
bf9002bf5c878cdca749025a5f875d6b

SHA1
e916d3121706dbd1ada335b414e4601373b86ef8

SHA256
4d9af7c5442387ed91671d2f0360eb6cba3baa3c706b8f6b898d3018b8c7fb05

SHA512
34873e1bd9c077046469db3a2176581aea162933c39c51f1ded462030fb2238a93b3d7e20ff14a497be42e019f2f23add141d98b662b395618bf69ed74a90a20

Download Submit
\Program Files (x86)\GearUPBooster\9145\skin.dll

Filesize
8.4MB

MD5
91261a7818cb6abf8ad9ecaed3446b57

SHA1
a5a30269f333ff70dce7a0c22cca29f45851cf16

SHA256
a93f6b8359bb65fcf995bdeb1a391d08685e480c55dbdf3a61d3d388438a57f5

SHA512
e6a2c6de3ec95a5b8184050c454b4e53a53123846062851448e8e40393ab99d4bb2391db0e8b54b3a87f1a0af422befea1c58b7dc98a41063c583abeafbcd0f2

Download Submit
\Program Files (x86)\GearUPBooster\9145\skin.dll

Filesize
6.6MB

MD5
9efa708853ac0a4fb14d5a83d2e0c32b

SHA1
1be46ebe28c15d9f2599e4ce515747840698e3c7

SHA256
cff3e28a65dc5f65cd2cf561c4feb8c598ad5ed2e64da547d576d195d2a71eb5

SHA512
8d58a28430a5a364fe752fcc9c727350eb0665e83fdddeb47b039a4ac4c783562ef40327dbfb6886a1225aa33acc75f6ca0801d3ae768831fb10f9b89bb3dfe6

Download Submit
\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe

Filesize
589KB

MD5
c6d72642721e84d227defc3ec4ab12e6

SHA1
3709a7c3cc795a0012adc6ccaf82a93628703518

SHA256
0cc0de83b51dae55a4fcae559defc87bea8448010d064c316abcfe9459ece035

SHA512
fa2c8b9fa34b190be45fc363f4760603cb6a389bc01fd617a1861ac709eef5e5dd42ea3d5524a1660ea8202dc17687265cd9bb87f5b4c9a9cf714744a8489389

Download Submit
\Program Files (x86)\GearUPBooster\launcher.exe

Filesize
921KB

MD5
dc42bc4f06d967badd3166cf2c08c294

SHA1
152b4db1d5bda610c90ff27b8def25bb156238be

SHA256
d6c21e9a316e7a127a9ab17c6ec5bd2ed104f6bac41c4e83293cf0b0e9e40cef

SHA512
bf088dafd911f20157d95ce5e825b648c28462adbb135ce447356f01380c9b621b6b6553c2a19327b91cb67b91620941bb80f6de437421298dc79ea25f07cb0e

Download Submit
memory/1976-428-0x000000002F400000-0x000000002F401000-memory.dmp

Filesize
4KB

Download