hxxps://www[.]gearupbooster[.]com/ru/

Resubmissions

Analysis

max time kernel
70s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.gearupbooster.com/ru/

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\hostpacket.sys	GearUP-2.4.2-win.exe
File opened for modification	C:\Windows\System32\drivers\hostpacket.sys	GearUP-2.4.2-win.exe

Executes dropped EXE 10 IoCs

pid	Process
2024	GearUP-2.4.2-win.exe
3080	7za.exe
1468	launcher.exe
4912	gearup_booster.exe
1804	crashpad_handler.exe
4632	gearup_booster_ball.exe
4804	gearup_booster_render.exe
4964	gearup_booster_render.exe
764	gearup_booster_render.exe
3544	gearup_booster_render.exe

Loads dropped DLL 27 IoCs

pid	Process
4912	gearup_booster.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
1804	crashpad_handler.exe
1804	crashpad_handler.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
4632	gearup_booster_ball.exe
4632	gearup_booster_ball.exe
4632	gearup_booster_ball.exe
4632	gearup_booster_ball.exe
4632	gearup_booster_ball.exe
4632	gearup_booster_ball.exe
4632	gearup_booster_ball.exe
4632	gearup_booster_ball.exe
4804	gearup_booster_render.exe
764	gearup_booster_render.exe
4964	gearup_booster_render.exe
3544	gearup_booster_render.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AF_uuid_gearupboosterpc = "2402c487-cbd9-4f51-831d-ad9b30256370"	gearup_booster.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AF_counter_gearupboosterpc = "0"	gearup_booster.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AF_counter_gearupboosterpc = "1"	gearup_booster.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	gearup_booster.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\tap_driver\i386\tap0901.cat	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\tap_driver\x64\tap0901.cat	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\api-ms-win-core-file-l2-1-0.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\d3dcompiler_47.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\fa.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\ms.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\th.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\tr.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\local_proxy.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\wfp\win7\x64\nwwfp.sys	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\wfp\win7\x64\nwwfp.sys	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\tap_driver\x64\NW_TAP_0921.sys	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\msvcp140.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\vcruntime140.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\wfp\win\x32\nwwfp.sys	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\tap_driver\arm64\tap0901.sys	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\gearup_booster.zip	GearUP-2.4.2-win.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\wfp\win	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\gearup_booster.exe	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\lspinst_x64.exe	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\7za.exe	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\api-ms-win-crt-filesystem-l1-1-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\debug.log	gearup_booster_render.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\am.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\sw.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\VisualElements\Logo.png	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\gearup_booster_render.exe	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\udp_connect_lsp.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\tap_driver\i386\NW_TAP_0921.sys	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\hostfp	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\tap_driver\i386\OemVista.inf	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\update.exe	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\tun2proxy.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\wfp\win7\x32\gunfwfp.sys	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\tap_driver\i386\NW_TAP_0921.sys	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\hr.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\natives_blob.bin	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\lsp.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\local_proxy.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\tap_driver\i386	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\de.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\sk.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\grp.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\drvinst_x64.exe	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\api-ms-win-crt-stdio-l1-1-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\tap_driver\arm64\tap0901.sys	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\ca.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\fr.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\nb.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\launcher.VisualElementsManifest.xml	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\tap_driver\x64\OemVista.inf	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\udp_connect_lsp.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\UETSdk.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\ui.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\VisualElements	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\tap_driver\x64\NW_TAP_0921.sys	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\tap_driver\x64	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\snapshot_blob.bin	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\api-ms-win-core-synch-l1-2-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\browser.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\ws2detour_x64.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9154\wfp\win\x32\gunfwfp.sys	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9154\wfp\win7\x32\nwwfp.sys	7za.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\gearup_booster.exe = "11000"	GearUP-2.4.2-win.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\gearup_booster.exe = "11000"	gearup_booster.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618827104851846"	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\URL Protocol	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\shell\open\command	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\shell	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\shell\open	gearup_booster.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\shell\open\command\ = "C:\\Program Files (x86)\\GearUPBooster\\9154\\gearup_booster.exe \"%1\""	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gu	gearup_booster.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	gearup_booster.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	gearup_booster.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	gearup_booster.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	gearup_booster.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	gearup_booster.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	gearup_booster.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2808	chrome.exe
2808	chrome.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
3892	msedge.exe
3892	msedge.exe
3984	msedge.exe
3984	msedge.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
1872	identity_helper.exe
1872	identity_helper.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeRestorePrivilege	3080	7za.exe
Token: 35	3080	7za.exe
Token: SeSecurityPrivilege	3080	7za.exe
Token: SeSecurityPrivilege	3080	7za.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
4632	gearup_booster_ball.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
2808	chrome.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
4632	gearup_booster_ball.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
4912	gearup_booster.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2024	GearUP-2.4.2-win.exe
3080	7za.exe
1468	launcher.exe
4912	gearup_booster.exe
1804	crashpad_handler.exe
4632	gearup_booster_ball.exe
4804	gearup_booster_render.exe
764	gearup_booster_render.exe
4964	gearup_booster_render.exe
3544	gearup_booster_render.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 3020	2808	chrome.exe	81
PID 2808 wrote to memory of 3020	2808	chrome.exe	81
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3416	2808	chrome.exe	83
PID 2808 wrote to memory of 3520	2808	chrome.exe	84
PID 2808 wrote to memory of 3520	2808	chrome.exe	84
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85
PID 2808 wrote to memory of 2364	2808	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.gearupbooster.com/ru/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae238ab58,0x7ffae238ab68,0x7ffae238ab78
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:2
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4496 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5236 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:8
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5240 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5268 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:8
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5316 --field-trial-handle=1908,i,132139520314011506,9923080627370825895,131072 /prefetch:8
  2⤵
  PID:4980
- C:\Users\Admin\Downloads\GearUP-2.4.2-win.exe
  "C:\Users\Admin\Downloads\GearUP-2.4.2-win.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2024
- - C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe
    "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe" x "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\gearup_booster.zip" -o"C:\Program Files (x86)\GearUPBooster\" -aoa
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\"
    3⤵
    PID:2460
- - C:\Program Files (x86)\GearUPBooster\launcher.exe
    "C:\Program Files (x86)\GearUPBooster\launcher.exe" /install_shortcut 1 /install_autorun 0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1468
  - - C:\Program Files (x86)\GearUPBooster\9154\gearup_booster.exe
      "C:\Program Files (x86)\GearUPBooster\9154\gearup_booster.exe" /install_shortcut 1 /install_autorun 0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Writes to the Master Boot Record (MBR)
      Modifies Internet Explorer settings
      Modifies registry class
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:4912
    - - C:\Program Files (x86)\GearUPBooster\9154\crashpad_handler.exe
        
        "C:\Program Files (x86)\GearUPBooster\9154\crashpad_handler.exe" --no-rate-limit --database=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry --metrics-dir=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry --url=https://sentry.guinfra.com:443/api/30/minidump/?sentry_client=sentry.native/0.5.3&sentry_key=e59bef2d0cf245eaa0d97f08c5eab5fe --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_proxy.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_tun.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_lsp.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\8fe7d785-87a8-4137-153b-ef97a042d172.run\__sentry-event --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\8fe7d785-87a8-4137-153b-ef97a042d172.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\8fe7d785-87a8-4137-153b-ef97a042d172.run\__sentry-breadcrumb2 --initial-client-data=0x468,0x48c,0x490,0x460,0x494,0x73c95160,0x73c95174,0x73c95184
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1804
    - - C:\Program Files (x86)\GearUPBooster\9154\gearup_booster_ball.exe
        
        C:\Program Files (x86)\GearUPBooster\9154\gearup_booster_ball.exe /main_form_wnd 983412 /show_flag 0 /pos_x -1 /pos_y -1 /version 9154 /client_id 665d95701f199e11f8c9121c /gray 0
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4632
    - - C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe
        
        "C:\Program Files (x86)\GearUPBooster\9154\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --primordial-pipe-token=28A93A56E9FF2FB43BED6211856DD9FD --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9154\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=28A93A56E9FF2FB43BED6211856DD9FD --channel="4912.0.1873060389\720814792" --mojo-platform-channel-handle=3896 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4804
    - - C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe
        
        "C:\Program Files (x86)\GearUPBooster\9154\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --primordial-pipe-token=BE1D70E99EFDFBAC72504CB5E3F0F1BE --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9154\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=BE1D70E99EFDFBAC72504CB5E3F0F1BE --channel="4912.1.2039632325\1148200370" --mojo-platform-channel-handle=4868 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4964
    - - C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe
        
        "C:\Program Files (x86)\GearUPBooster\9154\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --primordial-pipe-token=C0EF77ED6665CA71D1145CCB88953931 --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9154\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=C0EF77ED6665CA71D1145CCB88953931 --channel="4912.2.405077495\503180721" --mojo-platform-channel-handle=4884 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:764
    - - C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe
        
        "C:\Program Files (x86)\GearUPBooster\9154\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --primordial-pipe-token=8CA3F21F3BDC2B560BF67F19DC2799CA --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9154\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=8CA3F21F3BDC2B560BF67F19DC2799CA --channel="4912.3.1187557248\205392366" --mojo-platform-channel-handle=4872 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://win.booster.gearupportal.com/login/facebook/6PrwYiPDN7OEzPxRCNJV9gJ0oTcsn5baXIrvqFV2yABFm4sLj3jwRxrbTgm1Hugm/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffad16a46f8,0x7ffad16a4708,0x7ffad16a4718
        6⤵
        
        PID:6008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,15781087529756604171,948209501821653465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
        6⤵
        
        PID:1016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,15781087529756604171,948209501821653465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,15781087529756604171,948209501821653465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
        6⤵
        
        PID:2436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15781087529756604171,948209501821653465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
        6⤵
        
        PID:1932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15781087529756604171,948209501821653465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
        6⤵
        
        PID:3424
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15781087529756604171,948209501821653465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
        6⤵
        
        PID:724
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,15781087529756604171,948209501821653465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
        6⤵
        
        PID:4488
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,15781087529756604171,948209501821653465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1872

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2620

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:5760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GearUPBooster\9154\MSVCP100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\VCRUNTIME140.dll

Filesize
88KB

MD5
81b11024a8ed0c9adfd5fbf6916b133c

SHA1
c87f446d9655ba2f6fddd33014c75dc783941c33

SHA256
eb6a3a491efcc911f9dff457d42fed85c4c170139414470ea951b0dafe352829

SHA512
e4b1c694cb028fa960d750fa6a202bc3a477673b097b2a9e0991219b9891b5f879aa13aa741f73acd41eb23feee58e3dd6032821a23e9090ecd9cc2c3ec826a1

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\browser.dll

Filesize
38KB

MD5
1360c1d67a865ba1f6085e2246f42677

SHA1
ea3eca123552859a8ef4bd0c2db133acda97c300

SHA256
9c25f4fa25116542a9c16d94ababec450c6184c6e8bc3cd90f3d9dc4ed5bcc39

SHA512
64c290db722c28cd613cf0674d0fccbc54b1b9c5338b59cecaa2cea1d78ec061793b12eb2289d9b901f84b91fac85b9a6f974e3ca751ac31f788d859a7bdae07

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\cache.data

Filesize
575KB

MD5
1dee371ce22f41e20fa15729952d1f10

SHA1
e78694d1546858cba83dceed2a077db3d6d126dc

SHA256
8eec42dc41b2799ed3a11f9cd00af274648d5e90de06432c9ad35abc95b2f33d

SHA512
b21a92f0d6638ade58f4aafc628b559693930e6d438a7abfebb2b97b1a3f35655d6a9a5e038a5f57f264fd477db91313a2daeb6147de3984a2d8096d75b66839

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\crashpad_handler.exe

Filesize
853KB

MD5
5a243339440082631749f4bdff283bf5

SHA1
4c3512320b1b3c05ce265037a37aa3f16d3cc57c

SHA256
80d4effa417d43821a0a0ee967a290836501edd4b6057f033c7ebc449badd150

SHA512
c0b889a819ac5cc6904caeb37e504e6a50d33e49a0e6fb6bdaf8e372190c9bca021017103a7dfcedf7e2c8d9c6a1f3eef103cdf389a5f6bb9ff71f03783ebe24

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\crashpad_wer.dll

Filesize
36KB

MD5
e161e5dd4c57dbb72ef46cd60ac7c8b3

SHA1
7889c0cd22720bb76195bb8de0b77ebcc8068d57

SHA256
e4a2295cff0949d9f0a646f36d7fbaa40fefdbf5958d21b091f95d9c96c345d5

SHA512
d08200a5535cfafac52a0fc16b5512863d6d8d70514bd8cd3324451c47cb5cd5d5592c3ac1440308f52d4142c1551a891a1d4ea7332159b2f4c5bd249b6fd100

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\gearup_booster.exe

Filesize
7.7MB

MD5
2cbb007f80a8a9e8a87fbc8bbd8b5326

SHA1
9a33fd565d502ada0e1a07774ac227fe63cad887

SHA256
f52b045ba5d260b4d9fc63db74713c36dbda773c734def37e9162736621a4d6b

SHA512
367381f3d45d2da49b6655341fcdd676eae832c30eefda8493e7b4ecdafacf6c7c7810d41f6c074dbe1ed132d479a708fb8f49809e92e5fb1ff5508f8e6098df

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\gearup_booster_ball.exe

Filesize
1.4MB

MD5
dfa66f06c81ed5319c8d78c8c9f5b8a5

SHA1
16d6baf05bd12f5b9f79c133142a53d7c2517b8d

SHA256
5400b8b961441195e7f593cec25e169a5110bad5f00af5afa97704ec73266258

SHA512
e96f65148143ffaf232826e3bca82e38496a31393d49e29fa6aa765635508b00b78cb7fdb6d0ed53d2a636f05cc1c70900ecb85dee344470c4b6228171808d44

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\gearup_booster_render.exe

Filesize
1009KB

MD5
561e2e81dc8a2abc5c648cdf5b407099

SHA1
1ac32fc3858032aa6d3c37b4ef8f2b92fe585e2d

SHA256
271dae8bcb2d3f40ab65c3feeed49b9ae2cdd91bfe16230971289e28570c9a7f

SHA512
2601e48ad443b98f8b207265eb8e46e6889c4d656e0f677b4f4d7cbc4fc1b1b031189e382f4d118eef6f4b54cb2d16a8179d2184cd8580d8b928b847a46315a8

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\gearup_booster_vpn.dll

Filesize
33KB

MD5
813867a4605e0f3d52d02fa0c6b60664

SHA1
c0f60dd7424f2cd47cb05e37021745949580203d

SHA256
1d32b06c29cd1d6243025fd0dc6a0a1b30849e2ac534b72c830891f9895d893d

SHA512
71c6b2cb616e23b3d7df70d78944dc526962edd490d0426fd3fc0e6d9ba397b0226bd4f780dc802b114b75f9d5b52013cab482060d0b36272dedc5450ce16928

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\hostfp\64\hostpacket.sys

Filesize
37KB

MD5
5ac815ad2f4386140fe4c7eef3b06233

SHA1
6dd0e26f3c447602109253a7eaad59064c4162ca

SHA256
08d86eae497df069ef9e6525e9513a019ff7a9971780c1987fde858d51f4ed66

SHA512
98cf60aceabadc078e00ad1e274028714f7bbf3c86f0522ab423d50231156a2513e8cc1946b242c64af7287648e6d4ba5e630824b4d83134c471689db42fbbf5

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\lunasvg.dll

Filesize
344KB

MD5
45edee8d5b3f30f280450edfd2a0d7e3

SHA1
426cd368ffde347d5160bbd8de7ce492f441590b

SHA256
99410178464567de43b0a77cace66b8a4c1531618008604dc6b04741fff5fbd0

SHA512
40d95f257b28de69956a1d3c00cd10aab9e5d01484cb30e4a6c010001ac3cdc2264128829e9a91f2218a92b3dd86f31f94d0cd2eeb86acd1fa9c17f09c77b71d

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\msvcp140.dll

Filesize
432KB

MD5
a6b18a2772631cdd06f95b19d66d2d4f

SHA1
c342250efab725f643e598f49d1710c74f78d022

SHA256
76cc277b564e69e35a0d9c440f013a52b5d25f43ba42fd0099d6fc1f05a6ce16

SHA512
f98e07c1b92ecfc662021e33486b660942de390b8e947126f304adee911da0574d6cac416748f6f03e6cce981737eb694fb3d2bcd80e1e207eba91a44b5f23e5

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\ping.dll

Filesize
737KB

MD5
bd27032cecbb82ceab44ace6198e52c7

SHA1
0be5b4e90b494f671823ea01df4973d5e76e0de9

SHA256
ec205ded904646c9c7e0434782470af27100b79edcf86bb8a567c5da2ceda3b4

SHA512
d773176f17f59ac84e03bb535c5a6ca243e06a9ece14507fe2e27b376aefd1c15bb4765004cd219affb5df2df0a4aeb5992f4891d3485da0185215b594b47a38

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\sentry.dll

Filesize
426KB

MD5
bf9002bf5c878cdca749025a5f875d6b

SHA1
e916d3121706dbd1ada335b414e4601373b86ef8

SHA256
4d9af7c5442387ed91671d2f0360eb6cba3baa3c706b8f6b898d3018b8c7fb05

SHA512
34873e1bd9c077046469db3a2176581aea162933c39c51f1ded462030fb2238a93b3d7e20ff14a497be42e019f2f23add141d98b662b395618bf69ed74a90a20

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\skin.dll

Filesize
12.1MB

MD5
256eeea994675897784496887ad13bd3

SHA1
cd3c7653a9664ba4b0ce154f4a870d31a8d18f23

SHA256
0485d177ad7db6f8501bf887d0de84f45898cd9cef35c69d7234b5c02d570f51

SHA512
f48c3978b815a9e8bfaa1b4b4351cd596a09633d16eaa26204f4951e12c95b906ef50de2faaad2c3552c1ed68c024fb0eb726165907227cd0856ca9fd619dec8

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\ui.dll

Filesize
1.1MB

MD5
c4ad9215503e4d251dca502f1c371708

SHA1
1c117b0f1c8ec69f46b3e8def957c8f456cb0620

SHA256
b30c838428ed6a9d248b1e661f8d98e25a1744db17d20c445a04d344a0f33393

SHA512
c44b8b09dcb8f74da2dc29bbeed23e27d74c621b1a452dd5dad5eacc2ddf9ac3c14d81fe2f439528ec31ff3664ed5ef7dfb943951e15002fcb6e74b153c6def4

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\uninstall.exe

Filesize
2.1MB

MD5
5958880b37e8067e9643f1dacc9cf3bf

SHA1
f00719bfdadc6ce330499580287c405134dcac07

SHA256
6fc4080741b28eaf319ea716853fb15139be1b97dc61d422def8100da77ab1d2

SHA512
2bce6bfa7bdd2d1c663a379ddde756b088d6a3a7fe53aabd990cf14c7ace36795cbb9fd94cbd19547e6e15f34819ab11760337b80ba18f9edda9f5473ba796dc

Download Submit
C:\Program Files (x86)\GearUPBooster\9154\update.exe

Filesize
2.2MB

MD5
e7a344ef1e4dd78d86288c8d473f3ddb

SHA1
cc6b66fa98f50b944cfd479d803840a7e2a6b2b5

SHA256
41e2d866af350580de3c9312d8005cf14d035f8c7bb966ba85520c1f4f3c2d7f

SHA512
3d74028d99b02a9b63bb51c06a128d01cdd1702fd522550196c1a8c371c323ab3d0833fc1c8d674cc247cef2c9b6937a1923444aeb19c07e57f470e704a73482

Download Submit
C:\Program Files (x86)\GearUPBooster\cef\3.0.0\icudtl.dat

Filesize
9.7MB

MD5
3ed56e55ff45ab973ffc483e5d483a5a

SHA1
5d9d39c80054ed315fa4cac23cd956e3121ce5d0

SHA256
22b4b162fa9c1a35d086df4b2532485c0ddfee4649de8519cfc52a09f749b8ea

SHA512
b8998b76b2691941ea724f404c9b95bfb1593e6fb17d0d7fd57d04069b180a01eec82934357c2dfd48958b6d3d4e3489b111f7c0078134d300710d76f9ee3daf

Download Submit
C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\en-US.pak

Filesize
197KB

MD5
f7696f13a51166fd3efdb3f918c4ce3b

SHA1
2a5fb539b40af62ac6140477bff456211ddc6d28

SHA256
e572a8d7c366b462f1f2d0dc8577ab73824b8f8b39698e104ca4538d1be908dc

SHA512
4a005470cdc0bd84d1fc002a35825ce9bb2648dc0784665a31219a1f2b1e9c246002d051d50f6dfbeed69c1bd4f7f0f70589cfd6dfe65a0365783c1099ef367f

Download Submit
C:\Program Files (x86)\GearUPBooster\cef\3.0.0\natives_blob.bin

Filesize
342KB

MD5
ddb16ce3c579ab3900139b68dff4d307

SHA1
cc274783f8f44576ea17e7077d943aed4f94def6

SHA256
3bf49b753358169ed23a41f1a84d16831f16dd389b2b59c62e1ba2ec76d7b9cc

SHA512
2fb862f1d9f7a84da850c28ce7546335ec9978e6b43dd94e1adaae7be5a864f4b11c56175e0e170d6ab616a50bf6883d9e695f896f57a95a0ea35eecc8f6536f

Download Submit
C:\Program Files (x86)\GearUPBooster\cef\3.0.0\snapshot_blob.bin

Filesize
671KB

MD5
39a5320c010b68b0e0cc085b1640cdb4

SHA1
9111cdadbc3a4609d150c36624e109db5460c87e

SHA256
d8ee479ab35e34810f4b18305e89e96f5fb0032df66305eba9ec7ffeee51f576

SHA512
2e0f29afbebb91e178446d155784d58ff6d152e1f411a654e11a7ef99ce58e22c9cb9e3e7061ea45b9bdb4130f16a47c8c31a1ed11f97b33a437a8deef49267a

Download Submit
C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe

Filesize
589KB

MD5
c6d72642721e84d227defc3ec4ab12e6

SHA1
3709a7c3cc795a0012adc6ccaf82a93628703518

SHA256
0cc0de83b51dae55a4fcae559defc87bea8448010d064c316abcfe9459ece035

SHA512
fa2c8b9fa34b190be45fc363f4760603cb6a389bc01fd617a1861ac709eef5e5dd42ea3d5524a1660ea8202dc17687265cd9bb87f5b4c9a9cf714744a8489389

Download Submit
C:\Program Files (x86)\GearUPBooster\launcher.exe

Filesize
921KB

MD5
ff3fc2da7d48212eea03dc5e26b1a416

SHA1
9b75bc9ca71fc927b4708cd5b54d344baf3484f9

SHA256
8d73a4b409c972222daf3e9f6391b7ec5e2b9725c59675cd0fcdbae0dc47db1d

SHA512
fc35d8f35047ce24709dffee9bb2177b604c9c33075b4af474ac822ac83b46f7758b93113ce882743bd6c6b422046755e0ef55432bc1d261f63634eb902c4125

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
df7a805763bcf3d32f98c040575779a2

SHA1
3c32e565f0f85ed3521642d1bbf206f50d9ae486

SHA256
72e62569327d9eef99b3b25a211aa8ff4d8fd7359198a819ee4a04e972f00907

SHA512
557f55b6faf7c74b096efbd0af429ca4a5123f7c78d186bbbc18b933c96c9c19cda9c92a29e6631775af8d5d09397d81853f76941d9417c5872eebb476d92e3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
e6d51954c669cee18b9dab62b5a901d7

SHA1
2dab17127cd5b0e839a079bb75864dcb22fd1183

SHA256
6e887e4fbd83b4ef7347e9c392053134fe5e7a8759fcf45c5b65452d2e764738

SHA512
020b33663faa882840abc0932d3ae829378ab26618e9fc2aacf0cadb4b2effa69327567f2e7519b786382dffba0fa158ba674c7bc2aed54fb8c8238131a85aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cfb1143b0f3ec22b37f4884456a10c3a

SHA1
cd4668fae471cbd323c923f5d017bb4baac2fa60

SHA256
e589321f46a430de0b16a1c18c8a5bd32b6f10953d44f2597518943d55d46e69

SHA512
7600be4ffb3ebc7272c358099a788f6fd52d8a6039f976717bffdabc1a18779a6a4d9b9ddd85099933cbcc6af194ad4c9a2a4f8e1b081b2084fa3a5e592273e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
2a2a382be11b41c22693562164a99220

SHA1
bc509d7281c5dc9cd4af1ddbcd89f87e71154e16

SHA256
762fede8e10fca315e2fed9b04239db8e06c2689c74be2e834ccff3ce774bacc

SHA512
82407afea7958901f3fddc0888f452305d2f2042074c536391df6acd20a956de83253b0a550074504dd8a0cadc6bbd337b1a58bf78782325035c56ba4de24aa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b5f230f63018a9f284d7f80ee550052a

SHA1
26357d2d4f4bed590df5cae4506a97971b47b57f

SHA256
91b7b3089684d43efd1f8b77a812e787d93ab6a549cf56f7a3ecd08d51f0ba41

SHA512
4087dbae498aa3bdb10cf873051941e86289c89e54eadd7c92355331a1238b7811cd98ba5ea707fd82033113c1abd03c25b77b525075931fef944c566a4a5f84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
584526cf8cac6fe86e8ce34c1f33d859

SHA1
6fbd65109361d5377265f8a716934cbc2d1d1137

SHA256
43e9696b74f00b4041411b4ab2df43a680fcf2a69ffd9b8b3a9598885bfc24ea

SHA512
66cee521a98ea89bf7280095246f7a58ba9526686120e8ac4f226629a2ce28ea9bf418a3a7a896921f025eebeb0a63c36bcbbc1b880745eefb88c2553b62315a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
551ba1e6761ce8f79c7442f6f6497491

SHA1
dcc4dce4afda4be8123ec8d6f659d466a18cedc2

SHA256
477532fb3f458d5cf0de21a8352f0687e6baffcbb63d8587d7c43ce0637815d4

SHA512
c8cc9b4741830e8ccdff929c33698db25a6fb5550ac1627e1951a0bf3b6c0bd269291c9e62d5b3d26ee05076a3116f3359d18ac3874f34095e25f75f142c30ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
e8a3e419f00e2701857271d204b798bf

SHA1
fbd05efd460d7cbec033771e5feef9bf8cac46cd

SHA256
e8e7e71742e8c69b120efdd3950792358dc2173639d7b3c5d7bf173ac5b1afd6

SHA512
aae4904a33d4f48bcae71b2245b2f570d7493981144ee0aad4cad046373f130f0f763716d3b69618fa952f25784235ded7354029a9f60515996a33cfc7f9dd27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
5b3ba321c064e047f9b6b5fbe4992930

SHA1
31de385e6d31c60b9061391ad944c65d695b75aa

SHA256
f06844a0c5929c031febb80155f048dde57df6280e4f255d21738bcb98d1aaa2

SHA512
7efddd30e067cfdfcbf12693b069cfd280575dbff4890e00d547b9b1ff7faa9d9ecd8b25dc0798da11c0342494a9eee88976ad1c5f7d4ff5295309cd16189fa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
77cf8d34cf1b9ed7ce1b08111f7221d7

SHA1
d84242f83f5108a7f102fa49edd1fdbd981a9899

SHA256
730800e27773d23eb4a3e71f854878f1dfcade5889344a8ec1f5c04bf8a41716

SHA512
97e84a2411952b9f650a86401c51163f6f2e96b19aad0e8e94a3152eb71f700de3000c01177dcc301aea2f89ea0d563dcbb66c04705c7b22ba63ca3e8be5195b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
347B

MD5
2303ae5b79cfde6476a9b1eaf92336ab

SHA1
6aecacc4f626528e9abd431604a0868b7cc28880

SHA256
c357d72ed3f5f76655ced613d589aeebece00b8adc35eaa5f6c92bc01911aef6

SHA512
4bf679e4339b9b3192add0a7027580c008ad107febc2edce20603220fe43fa4145e98893c337320199946eff7d5f7ebb82c3de72e2cbdbfb5650c07e68830c59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7fbbe785268da46b545bb42cf9376237

SHA1
75c9c695899a9f654588dc91314423933dab13e4

SHA256
5b1e0a4fd1f14c4d2a79aba3ade85d81d3c7e11ec99fddfa85eb4d9d459f6e7e

SHA512
82cc65307bc8ac1a9eb582ce60f084aeda22a650805a25260fccda377dc1df13939a7eb71adb22eb772dad9f0e191e4486c3a333e652f3efcb5013060d3aa7e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
68b423b3e423429fb386a87477ca61f1

SHA1
569530e24e2d175f261220d430dbc50103a5f97d

SHA256
3fc42fc05b351f98b3a03b0dcd2e528f86045ba489ac4db4160d72d9f0961f6f

SHA512
33ea63086b17a83a7f9c23f720333a271b96db2f688a6d669a3a0ee4e501d1e93d470510b9c51bb523ff53ac3ba1a3e87ddac255851f89128dc467a66b8a99d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
10a1f29dca10aaa28b0a3e05ec8c253d

SHA1
8515f549d51acdb955d315653f4231b0d27a0623

SHA256
f4d59c2e23c78f554f0fdefe36f8335cbe26d1468e49c1ba82e46c3b8afb2d0a

SHA512
180c83566b45004c735c5e4925555605b1bb34c41bdeb48c00f9846143db067cb9ce95ab99361d40355a66d9a2708370f3e72712b1ac2c4ddc4b715c202cdf46

Download Submit
C:\Users\Admin\AppData\Roaming\GearUPBooster\gu.log

Filesize
103B

MD5
46e9a6ec4408e1469d6c3ce4a25ccbd0

SHA1
650e89f79cd566262d3f0ad8c8e44b69aadb88ba

SHA256
f2e3915d15c3ba7551bd1889bd3760e2bc4a7c23c7835a95cf8a4c21e4380735

SHA512
5ccaf4481b8e465074463fa7aa5015f43597005d9aba34a977bea25978726a9b4fd67796b43797361d56c9d77e95fd6fcf494297cca4201688113e1e090e87d6

Download Submit
C:\Users\Public\Desktop\GearUP Booster.lnk

Filesize
1KB

MD5
f0fbe1501cab274264de34d2db8f685c

SHA1
5994a1da773a7eb91740033b4861ae4e18f8b641

SHA256
7612e4ec0782f7fd4f976cf9f9b7fbda605120b7183b955f78dff395bc28a836

SHA512
3e1a538f5ea10d715464f9d9207698df1df25e91266e8ed9cb77a1ae88a06fc626c6708c07af09a823d9e7c7ece83ba9f3786d28b63c99d97dfd831020dcc7db

Download Submit
memory/764-605-0x000000000CF00000-0x000000000CF01000-memory.dmp

Filesize
4KB

Download
memory/3544-607-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/4804-579-0x000000002F400000-0x000000002F401000-memory.dmp

Filesize
4KB

Download
memory/4964-606-0x0000000012D00000-0x0000000012D01000-memory.dmp

Filesize
4KB

Download
memory/5760-821-0x000001E0B2290000-0x000001E0B2291000-memory.dmp

Filesize
4KB

Download
memory/5760-828-0x000001E0B2290000-0x000001E0B2291000-memory.dmp

Filesize
4KB

Download
memory/5760-827-0x000001E0B2290000-0x000001E0B2291000-memory.dmp

Filesize
4KB

Download
memory/5760-825-0x000001E0B2290000-0x000001E0B2291000-memory.dmp

Filesize
4KB

Download
memory/5760-829-0x000001E0B2290000-0x000001E0B2291000-memory.dmp

Filesize
4KB

Download
memory/5760-830-0x000001E0B2290000-0x000001E0B2291000-memory.dmp

Filesize
4KB

Download
memory/5760-831-0x000001E0B2290000-0x000001E0B2291000-memory.dmp

Filesize
4KB

Download
memory/5760-826-0x000001E0B2290000-0x000001E0B2291000-memory.dmp

Filesize
4KB

Download
memory/5760-820-0x000001E0B2290000-0x000001E0B2291000-memory.dmp

Filesize
4KB

Download
memory/5760-819-0x000001E0B2290000-0x000001E0B2291000-memory.dmp

Filesize
4KB

Download