ec272e16f26ae18203872c423e9819373a2840ed4c3acc4fe902cf6195107463

Analysis

max time kernel
781s
max time network
789s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19/08/2024, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GeeLark_x64_1.8.0.exe
Size

356.6MB
MD5

174c9028c3149db2b677fce0e5ca6176
SHA1

bae23c504e3f2e0b34b638d9cb34d6286d400875
SHA256

ec272e16f26ae18203872c423e9819373a2840ed4c3acc4fe902cf6195107463
SHA512

bd2ed0c427851551d6afc9ae1728a094270dc8039b953e9f825c839bae5e3450fa8dc02db935b67847460f4d5bf1020e1b5bcbddb2504d46f06a099a07f43385
SSDEEP

6291456:r/UXqr57KtWnrZtMUjAvzAGUG1G/raD4ZkwXvRfLfRZV7EZ1SNG8+jjxlrxTr9RC:rUXqugZtMUMvnUGQ/m4ZkyBRUPD9jxlY

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 18 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3804	netsh.exe
2168	netsh.exe
2180	netsh.exe
3692	netsh.exe
4808	netsh.exe
424	netsh.exe
4744	netsh.exe
2668	netsh.exe
1344	netsh.exe
4324	netsh.exe
4652	netsh.exe
3124	netsh.exe
4272	netsh.exe
1424	netsh.exe
1492	netsh.exe
4068	netsh.exe
3148	netsh.exe
1088	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	GeeLark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	GeeLark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	GeeLark.exe

Executes dropped EXE 8 IoCs

pid	Process
3620	GeeLark.exe
3600	GeeLark.exe
1688	GeeLark.exe
2660	GeeLark.exe
4040	GeeLark.exe
3876	GeeLark.exe
4492	GeeLark.exe
672	GeeLark.exe

Loads dropped DLL 47 IoCs

pid	Process
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
3620	GeeLark.exe
3620	GeeLark.exe
3620	GeeLark.exe
3620	GeeLark.exe
3620	GeeLark.exe
3600	GeeLark.exe
3620	GeeLark.exe
1688	GeeLark.exe
2660	GeeLark.exe
4040	GeeLark.exe
2660	GeeLark.exe
2660	GeeLark.exe
2660	GeeLark.exe
2660	GeeLark.exe
2660	GeeLark.exe
3876	GeeLark.exe
4492	GeeLark.exe
672	GeeLark.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\8755.bc34e562.async.js	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\es-ct.d5df1b2d.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\es.03da05c2.png	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\sj.c7265b6d.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\ru.fa231586.svg	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\locales\th.pak	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\1948.d7d7ea10.chunk.css	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\ma.6309773c.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\tw.13783eeb.svg	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\aq.c2086b29.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\ax.9c47933b.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\p__task-template__index.df7c1dcf.async.js	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\ac.5046f800.png	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\rotate.424092db.svg	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\xk.619416a6.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\cy.22e1c65c.svg	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\window\envkit\sync\Crypto\Util\.keep_dir.txt	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\p__message-center__index.76712ff9.async.js	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\ar.30874519.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\ae.6a345243.svg	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\window\envkit\assets\black_white_tips_zh.html	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\chrome_tab.43661edd.png	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\iconfont.6fe46634.ttf	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\nf.fbeb4805.svg	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\i18n\vi-VN\index.json	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\layouts__invitation-rewards.85ea4162.async.js	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\sy.8360f47d.svg	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\vi.2df6bc4c.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\menuSideTeam.8ef0ba2f.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\i18n\en-US	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\478.feef2a66.async.js	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\p__Promote__mine__index.32bb2627.chunk.css	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\windowSync.96c88fbf.svg	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\ws.ac3ab0f5.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\eu.364ad810.svg	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\Config\CurrentLans	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\locales\kn.pak	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\app.asar.unpacked\node_modules\@lwahonen\ref-napi\prebuilds\darwin-x64\node.napi.uv1.glibc.node	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\8116.665e929a.async.js	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\p__group-manage__index.db06f060.chunk.css	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\bg.b329db20.png	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\subMenuSideGroupSvgSelected.ee5ee8b4.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\bag_disabled.6031442f.svg	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\window\envkit\sync\libssl-1_1.dll	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\locales\id.pak	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\locales\ro.pak	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\window\envkit\sync\Crypto\Hash\_MD5.pyd	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\window\envkit\sync\_win32sysloader.pyd	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\automation.a644f726.svg	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\error_close_bg.4be3368a.png	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\locales\th.pak	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\az.386a73da.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\gt.5c1bd61e.png	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\az.386a73da.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\locales\gu.pak	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\gp.a7e59e7b.svg	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\import_profile_vi.701d4ede.xlsx	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\md.1fe81bb4.svg	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\vi.2df6bc4c.svg	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\window\envkit\sync\Crypto\Hash\_MD5.pyd	GeeLark_x64_1.8.0.exe
File created	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\window\envkit\sync\win32process.pyd	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\image	GeeLark_x64_1.8.0.exe
File opened for modification	C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\cr.52dcc867.svg	GeeLark_x64_1.8.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 54 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GeeLark_x64_1.8.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GeeLark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GeeLark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GeeLark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GeeLark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	GeeLark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	GeeLark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	GeeLark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GeeLark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	GeeLark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	GeeLark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	GeeLark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	GeeLark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GeeLark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	GeeLark.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\Application\ApplicationDescription = "访问互联网"	GeeLark_x64_1.8.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\Application\ApplicationIcon = "C:\\Program Files (x86)\\GeeLark\\1.8.0\\GeeLark.exe,0"	GeeLark_x64_1.8.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\ = "GeeLark HTML Document"	GeeLark_x64_1.8.0.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\Application	GeeLark_x64_1.8.0.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\DefaultIcon	GeeLark_x64_1.8.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\shell\open\command\ = "\"C:\\Program Files (x86)\\GeeLark\\1.8.0\\GeeLark.exe\" %1/"	GeeLark_x64_1.8.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\Application\ApplicationCompany = "42STUDIO"	GeeLark_x64_1.8.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\Application\ApplicationName = "GeeLark"	GeeLark_x64_1.8.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\DefaultIcon\ = "C:\\Program Files (x86)\\GeeLark\\1.8.0\\GeeLark.exe,0"	GeeLark_x64_1.8.0.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\shell\open	GeeLark_x64_1.8.0.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML	GeeLark_x64_1.8.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\AppUserModelId = "GeeLark"	GeeLark_x64_1.8.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\Application\AppUserModelId = "GeeLark"	GeeLark_x64_1.8.0.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\shell\open\command	GeeLark_x64_1.8.0.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\GeeLarkHTML\shell	GeeLark_x64_1.8.0.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GeeLark.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GeeLark.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GeeLark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	GeeLark.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GeeLark.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\http:\datasink.morelogin.com\sa?project=morelogin	GeeLark_x64_1.8.0.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
1616	GeeLark_x64_1.8.0.exe
3620	GeeLark.exe
3620	GeeLark.exe
3620	GeeLark.exe
3620	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3620	GeeLark.exe
3620	GeeLark.exe
3876	GeeLark.exe
3876	GeeLark.exe
3876	GeeLark.exe
3876	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3620	GeeLark.exe
3620	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe
3600	GeeLark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3620	GeeLark.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe
Token: SeShutdownPrivilege	3620	GeeLark.exe
Token: SeCreatePagefilePrivilege	3620	GeeLark.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3620	GeeLark.exe
3620	GeeLark.exe
3620	GeeLark.exe
3620	GeeLark.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3620	GeeLark.exe
3620	GeeLark.exe
3620	GeeLark.exe
3620	GeeLark.exe
3620	GeeLark.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3620	GeeLark.exe
3620	GeeLark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 1344	1616	GeeLark_x64_1.8.0.exe	73
PID 1616 wrote to memory of 1344	1616	GeeLark_x64_1.8.0.exe	73
PID 1616 wrote to memory of 1344	1616	GeeLark_x64_1.8.0.exe	73
PID 1616 wrote to memory of 3804	1616	GeeLark_x64_1.8.0.exe	76
PID 1616 wrote to memory of 3804	1616	GeeLark_x64_1.8.0.exe	76
PID 1616 wrote to memory of 3804	1616	GeeLark_x64_1.8.0.exe	76
PID 1616 wrote to memory of 3692	1616	GeeLark_x64_1.8.0.exe	78
PID 1616 wrote to memory of 3692	1616	GeeLark_x64_1.8.0.exe	78
PID 1616 wrote to memory of 3692	1616	GeeLark_x64_1.8.0.exe	78
PID 1616 wrote to memory of 1424	1616	GeeLark_x64_1.8.0.exe	80
PID 1616 wrote to memory of 1424	1616	GeeLark_x64_1.8.0.exe	80
PID 1616 wrote to memory of 1424	1616	GeeLark_x64_1.8.0.exe	80
PID 1616 wrote to memory of 4808	1616	GeeLark_x64_1.8.0.exe	82
PID 1616 wrote to memory of 4808	1616	GeeLark_x64_1.8.0.exe	82
PID 1616 wrote to memory of 4808	1616	GeeLark_x64_1.8.0.exe	82
PID 1616 wrote to memory of 1492	1616	GeeLark_x64_1.8.0.exe	84
PID 1616 wrote to memory of 1492	1616	GeeLark_x64_1.8.0.exe	84
PID 1616 wrote to memory of 1492	1616	GeeLark_x64_1.8.0.exe	84
PID 1616 wrote to memory of 4324	1616	GeeLark_x64_1.8.0.exe	86
PID 1616 wrote to memory of 4324	1616	GeeLark_x64_1.8.0.exe	86
PID 1616 wrote to memory of 4324	1616	GeeLark_x64_1.8.0.exe	86
PID 1616 wrote to memory of 4068	1616	GeeLark_x64_1.8.0.exe	88
PID 1616 wrote to memory of 4068	1616	GeeLark_x64_1.8.0.exe	88
PID 1616 wrote to memory of 4068	1616	GeeLark_x64_1.8.0.exe	88
PID 1616 wrote to memory of 3148	1616	GeeLark_x64_1.8.0.exe	91
PID 1616 wrote to memory of 3148	1616	GeeLark_x64_1.8.0.exe	91
PID 1616 wrote to memory of 3148	1616	GeeLark_x64_1.8.0.exe	91
PID 1616 wrote to memory of 1088	1616	GeeLark_x64_1.8.0.exe	93
PID 1616 wrote to memory of 1088	1616	GeeLark_x64_1.8.0.exe	93
PID 1616 wrote to memory of 1088	1616	GeeLark_x64_1.8.0.exe	93
PID 1616 wrote to memory of 4652	1616	GeeLark_x64_1.8.0.exe	95
PID 1616 wrote to memory of 4652	1616	GeeLark_x64_1.8.0.exe	95
PID 1616 wrote to memory of 4652	1616	GeeLark_x64_1.8.0.exe	95
PID 1616 wrote to memory of 424	1616	GeeLark_x64_1.8.0.exe	97
PID 1616 wrote to memory of 424	1616	GeeLark_x64_1.8.0.exe	97
PID 1616 wrote to memory of 424	1616	GeeLark_x64_1.8.0.exe	97
PID 1616 wrote to memory of 2168	1616	GeeLark_x64_1.8.0.exe	99
PID 1616 wrote to memory of 2168	1616	GeeLark_x64_1.8.0.exe	99
PID 1616 wrote to memory of 2168	1616	GeeLark_x64_1.8.0.exe	99
PID 1616 wrote to memory of 3124	1616	GeeLark_x64_1.8.0.exe	101
PID 1616 wrote to memory of 3124	1616	GeeLark_x64_1.8.0.exe	101
PID 1616 wrote to memory of 3124	1616	GeeLark_x64_1.8.0.exe	101
PID 1616 wrote to memory of 2180	1616	GeeLark_x64_1.8.0.exe	103
PID 1616 wrote to memory of 2180	1616	GeeLark_x64_1.8.0.exe	103
PID 1616 wrote to memory of 2180	1616	GeeLark_x64_1.8.0.exe	103
PID 1616 wrote to memory of 4744	1616	GeeLark_x64_1.8.0.exe	105
PID 1616 wrote to memory of 4744	1616	GeeLark_x64_1.8.0.exe	105
PID 1616 wrote to memory of 4744	1616	GeeLark_x64_1.8.0.exe	105
PID 1616 wrote to memory of 2668	1616	GeeLark_x64_1.8.0.exe	107
PID 1616 wrote to memory of 2668	1616	GeeLark_x64_1.8.0.exe	107
PID 1616 wrote to memory of 2668	1616	GeeLark_x64_1.8.0.exe	107
PID 1616 wrote to memory of 4272	1616	GeeLark_x64_1.8.0.exe	109
PID 1616 wrote to memory of 4272	1616	GeeLark_x64_1.8.0.exe	109
PID 1616 wrote to memory of 4272	1616	GeeLark_x64_1.8.0.exe	109
PID 1616 wrote to memory of 4140	1616	GeeLark_x64_1.8.0.exe	111
PID 1616 wrote to memory of 4140	1616	GeeLark_x64_1.8.0.exe	111
PID 1616 wrote to memory of 4140	1616	GeeLark_x64_1.8.0.exe	111
PID 4708 wrote to memory of 3620	4708	explorer.exe	113
PID 4708 wrote to memory of 3620	4708	explorer.exe	113
PID 3620 wrote to memory of 3600	3620	GeeLark.exe	115
PID 3620 wrote to memory of 3600	3620	GeeLark.exe	115
PID 3620 wrote to memory of 1688	3620	GeeLark.exe	116
PID 3620 wrote to memory of 1688	3620	GeeLark.exe	116
PID 3620 wrote to memory of 2660	3620	GeeLark.exe	117

C:\Users\Admin\AppData\Local\Temp\GeeLark_x64_1.8.0.exe
"C:\Users\Admin\AppData\Local\Temp\GeeLark_x64_1.8.0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule "GeeLark__rule"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1344
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="GeeLark__rule" dir=in program="C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3804
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="GeeLark__rule" dir=out program="C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3692
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule "GeeLark_120_Core_Chromium__rule"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1424
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="GeeLark_120_Core_Chromium__rule" dir=in program="C:\Users\Admin\AppData\Roaming\GeeLark\env-kit\Core\chrome_64_120\geelark.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4808
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="GeeLark_120_Core_Chromium__rule" dir=out program="C:\Users\Admin\AppData\Roaming\GeeLark\env-kit\Core\chrome_64_120\geelark.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1492
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule "GeeLark_120_Core_Firefox__rule"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4324
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="GeeLark_120_Core_Firefox__rule" dir=in program="C:\Users\Admin\AppData\Roaming\GeeLark\env-kit\Core\firefox_64_120\geelark.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4068
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="GeeLark_120_Core_Firefox__rule" dir=out program="C:\Users\Admin\AppData\Roaming\GeeLark\env-kit\Core\firefox_64_120\geelark.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3148
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule "GeeLarkenvkit__rule"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1088
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="GeeLarkenvkit__rule" dir=in program="C:\Users\Admin\AppData\Roaming\GeeLark\envkit_sdk\envkit\env-kit.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4652
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="GeeLarkenvkit__rule" dir=out program="C:\Users\Admin\AppData\Roaming\GeeLark\envkit_sdk\envkit\env-kit.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:424
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule "GeeLarkenvkitnet__rule"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2168
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="GeeLarkenvkitnet__rule" dir=in program="C:\Users\Admin\AppData\Roaming\GeeLark\envkit_sdk\envkit\envkit-net.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3124
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="GeeLarkenvkitnet__rule" dir=out program="C:\Users\Admin\AppData\Roaming\GeeLark\envkit_sdk\envkit\envkit-net.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule "GeeLarksync__rule"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4744
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="GeeLarksync__rule" dir=in program="C:\Users\Admin\AppData\Roaming\GeeLark\envkit_sdk\envkit\sync\zx-sync-sdk.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2668
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="GeeLarksync__rule" dir=out program="C:\Users\Admin\AppData\Roaming\GeeLark\envkit_sdk\envkit\sync\zx-sync-sdk.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4272
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe "C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4140

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe
  "C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe
    "C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe" "C:\Program Files (x86)\GeeLark\1.8.0\resources\app.asar\packages\main\dist\child_dist\index.cjs" C:\Users\Admin\AppData\Roaming\GeeLark C:\Users\Admin\AppData\Roaming\GeeLark\envkit_sdk\envkit "C:\Program Files (x86)\GeeLark\1.8.0\resources\assets" 1.8.0 window
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:3180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:5096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:3904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:1324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:3472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:1676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:1364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:4328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:1916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:3192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:1312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:1104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:3652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:2176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:1452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:4364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:4736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "df -k"
      4⤵
      PID:4828
- - C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe
    "C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\GeeLark /prefetch:7 --no-rate-limit --no-upload-gzip --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\GeeLark\Crashpad --url=https://server.geelark.cn/log/crash --annotation=_companyName=42studio --annotation=_productName=GeeLark --annotation=_version=1.8.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=22.3.24 --initial-client-data=0x500,0x4ac,0x504,0x440,0x508,0x7ff690381898,0x7ff6903818a8,0x7ff6903818b8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1688
- - C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe
    "C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\GeeLark" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1564 --field-trial-handle=1892,i,14025729642039680103,1615568530211848322,131072 --disable-features=BlockInsecurePrivateNetworkRequests,PrivateNetworkAccessSendPreflights,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2660
- - C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe
    "C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\GeeLark" --mojo-platform-channel-handle=1792 --field-trial-handle=1892,i,14025729642039680103,1615568530211848322,131072 --disable-features=BlockInsecurePrivateNetworkRequests,PrivateNetworkAccessSendPreflights,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4040
- - C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe
    "C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\GeeLark" --app-path="C:\Program Files (x86)\GeeLark\1.8.0\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --no-sandbox --js-flags=--expose-gc --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3052 --field-trial-handle=1892,i,14025729642039680103,1615568530211848322,131072 --disable-features=BlockInsecurePrivateNetworkRequests,PrivateNetworkAccessSendPreflights,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3876
- - C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe
    "C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\GeeLark" --mojo-platform-channel-handle=3584 --field-trial-handle=1892,i,14025729642039680103,1615568530211848322,131072 --disable-features=BlockInsecurePrivateNetworkRequests,PrivateNetworkAccessSendPreflights,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4492
- - C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe
    "C:\Program Files (x86)\GeeLark\1.8.0\GeeLark.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\GeeLark" --mojo-platform-channel-handle=3380 --field-trial-handle=1892,i,14025729642039680103,1615568530211848322,131072 --disable-features=BlockInsecurePrivateNetworkRequests,PrivateNetworkAccessSendPreflights,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:672

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GeeLark\1.8.0\Config\CurrentLans

Filesize
5B

MD5
cce16c45e622d9ceae4b626c9353ecec

SHA1
5a7bd4149d0d34d3ec86181cdab1cb8dd3f441d7

SHA256
5c49f88dafe66e0ecdca8f682ae0b38c38ccd3ad464e3358e899beca88c18560

SHA512
49bece6ba2cf39624a2947d9660b44c0c0f3f6970e6671b02f2050fb954cef700b3bad782c00b7e3fd196ae541f0d6c684fd0f77704bd9c9d68d35b94e89a755

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\chrome_100_percent.pak

Filesize
126KB

MD5
d31f3439e2a3f7bee4ddd26f46a2b83f

SHA1
c5a26f86eb119ae364c5bf707bebed7e871fc214

SHA256
9f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e

SHA512
aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\chrome_200_percent.pak

Filesize
175KB

MD5
5604b67e3f03ab2741f910a250c91137

SHA1
a4bb15ac7914c22575f1051a29c448f215fe027f

SHA256
1408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c

SHA512
5e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\icudtl.dat

Filesize
10.0MB

MD5
76bef9b8bb32e1e54fe1054c97b84a10

SHA1
05dfea2a3afeda799ab01bb7fbce628cacd596f4

SHA256
97b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3

SHA512
7330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\locales\en-US.pak

Filesize
313KB

MD5
3f6f4b2c2f24e3893882cdaa1ccfe1a3

SHA1
b021cca30e774e0b91ee21b5beb030fea646098f

SHA256
bb165eaa51456b52fcbdf7639ee727280e335a1f6b4cfb91afc45222895b564f

SHA512
bd80ddaa87f41cde20527ff34817d98605f11b30a291e129478712ebebe47956dbd49a317d3eeb223adf736c34750b59b68ad9d646c661474ad69866d5a53c5c

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources.pak

Filesize
5.1MB

MD5
f5ab76d2b17459b5288b6269b0925890

SHA1
75be4046f33919340014a88815f415beb454a641

SHA256
4f29587bcd952de1dbc0b98df0aa506bd9fcf447e6a7258c5eb7e9eb780e6d6c

SHA512
6ec6a08418743adb5e20218b73169be4f45f5458592219497c3718e620e37871876788937418f1341e0023c1137f9cac715e6bb941f4690febdda993b072feab

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\app.asar

Filesize
46.4MB

MD5
36bfbbab61f2f5712260f154fb41d2da

SHA1
4019555cf928805f09a9d2dbf6314a145e9e1fb9

SHA256
9fcf3654cee1627e995720800ff77202e516d202b743ed5ccef939243199263d

SHA512
42d5f36ed46a0364c746157491c7ea2e888d91d550b1a349f65ea3ef7e4523fdea45129c2a4afdd3c3f0e81113961bb1add77830c49b7febb94ccd993563a294

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\app.asar.unpacked\node_modules\@lwahonen\ffi-napi\build\Release\ffi_bindings.node

Filesize
229KB

MD5
b46e3391d7ce8cd25a4b1cb3501ce921

SHA1
6ac6689af1bff09ec3dc124f19fd93f13e7f5908

SHA256
426af3ded3334e4ea356208524c00a4138c99e73692a92ec6cf601c0e2463476

SHA512
17cb31cf00db2124341239b8aee080f6457a0362a0ecfe3bd2125c4484d4656066c65854ece15f2465527d389d35cde6740c6d1e3aeb774bb50314a565b4ab27

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\app.asar.unpacked\node_modules\@lwahonen\ref-napi\build\Release\binding.node

Filesize
205KB

MD5
7fa9e0cb679163724c15598d58c25b7b

SHA1
eec27621774ad8b8a67395901abc4dc06dd6eca6

SHA256
8f9130a2a02e0229188689d259390b0aef7a2e6d6defc88accda3556df26dce3

SHA512
534a2e101bbe173bc9f490398c1d834604b8eb76c30af36e31ffc5465ba3b53cab1c9e364c5a843e072bf6cb148fd13c5202ba1ff0872b0b0c82804093103e40

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\app.asar.unpacked\node_modules\uiohook-napi\prebuilds\win32-x64\node.napi.node

Filesize
164KB

MD5
629497ab98678c5d6f9af76ec3c7a867

SHA1
3b56d0c4b787a838972d9a304acdf1d5f2b49f00

SHA256
a4e18d5896c5889635efe31c6f1a0ce8ccafeabe9521e0f92c46a5861e8c290b

SHA512
6d2003903cead41889902ff46ec282503bc234f99c3fbd8124b3e3cb1b1e63bf27e195fe9feb32086a82b6c83fa4e1aab309f8b76dcbb41487c8c987d25a351e

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\p__phone-app__index.b6b46de4.chunk.css

Filesize
24KB

MD5
13964476e96c133133357d0635c4aed9

SHA1
efffa4e550ac890bd3dd13957a78080e64106ab7

SHA256
bd180fd96236a033b3cce1bccef7507cf4a8d73adba8a99cdfdd63a35be90dcf

SHA512
6b557a15d23733797ea8fad0b80a825c883bc0077d2e6b27340ef93612cabf3bcd239d190fed2f94a56e918c22d6873398c6a489707b0786299363340f286a84

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\p__recycling-bin__index.0571c667.chunk.css

Filesize
453B

MD5
849440631397c3fba22dd8a3251dd4a7

SHA1
4791af822385ecaa59b0882646fda8db40770a16

SHA256
054cc7f2ee039fad55396cef0f03326cc076e365b57445fd880b25bb631e6748

SHA512
2f1809012e34c0bb61e25b69bb38b5c5a62d04929c21b45f39cb20e069c5a120200ce479f77a65aa014c84054c369a71954d08c1c6eadc85eeb5abbb1d81a743

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\gf.a7e59e7b.svg

Filesize
247B

MD5
d94b381b330f322f965b6b617a9a2ca6

SHA1
25c4a2b90ac9dc2a9c2b2a8a6c4c22796b501fef

SHA256
2ad025b28c1c1dbc5e9425685a33fed00681f02072998719ef92c096fb51a4f8

SHA512
9cd254ca48760b797376f7fa43d8368a7ae77f7129f480dc17f274d524968c890dc5c5f62ea7cb69723840aa87c4f890de1933661156cce92a07881ba9662842

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\re.b39da4c3.svg

Filesize
247B

MD5
7e5e15fbf972a23945906337e86c6c28

SHA1
2078590e9c4ef1b82622faf09b26b1b3d24f4bd3

SHA256
0def537f2a767f490379dd1270fd2cf6615776eefa4f0d4b8439defa04292be6

SHA512
18790fca31f00661b1f360cde127463d8fd47efa74d44e3975b4afb550841796db01bc81c2c4b736386b27cd37f62056957b6b6fa06df00a4091fe6198e500b4

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\resource\static\ta.5046f800.png

Filesize
17KB

MD5
cf4e5fdff5551c04d2dd46b81e22a7b6

SHA1
1f4abdd7b525269eb9822b651d45789f80cb47bb

SHA256
fecb3763eee955506badf0c137aadd5b17b8aad503176c9e7784ec2e3eb66ca0

SHA512
8c656f62be3d63dd6f019705bcf5712cddd5668d61815e88144467e59bd00b08ac4636d7866563b76e020b8efe519a735f07b251e93f6c741c805bbfd925c784

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\bq.bce8e70d.svg

Filesize
191B

MD5
caec7df85906eb333b4beef973037364

SHA1
086bfa3fb5a8eb0d63b3e0cb38415c5e8e0a260f

SHA256
805d6707957db3d94c838303df715eaab5031bc89942ede69fcd7f98022c13eb

SHA512
f1251044fc61b3e3e3fa952b80804fc7407893662490db5d82054a59f278af62026c6171020bd184e966e25dd4df7f0e0b8b5f81f43d3b933c44cef85810b547

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\dg.601d72df.png

Filesize
28KB

MD5
b02a180170d40c208cb43ddb7c07dec8

SHA1
0fbf6697982bd06415a6cedcfd6dbbc428235bf2

SHA256
6b5cca9e813b1a5067dd0e3399fc396790a08c54a55d0242c71a299a52299ee7

SHA512
fa74e3bcfcc0a148559d754cdb68a1144db630ac154c809c4f9da77b94ade977ccc689b4d526a1073cb5e1bda85c51e335347ca8a27936674be2c5c49a6014ec

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\home\static\ea.03da05c2.png

Filesize
10KB

MD5
76b708d733f22f0a5e70caf9ab7004b6

SHA1
fe9bf741a6028debe59412cb4e90cb7841909be2

SHA256
6106a12b74687dca42d596859e71b3372dc4642baa4db0df9ebb74d997dc8117

SHA512
3f995776febdc5034fb25bede8ff5a9fb3d11391f12431ab90c0c00334cf3f70d1f6493ccb5d8e850ed9d37130eec80e47ddc9e56babb1805047725811a20cf3

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\i18n\en-US\index.json

Filesize
1KB

MD5
ab222ef73319a8c0cd5839064d8dfbfa

SHA1
c9f5a120c79c49a823a561439643ffab3634db5b

SHA256
12dcbf2aa929ec3c76dfd1b7b4c89affec48bf9cdd61ac1151f41bcd553c0d7d

SHA512
7955a69d9d04ded6d9e93924d7f9adc36587d5fad901a4ea0dc5ea8d7d34081b78f6fdd8d11e17311ab1baa99e6552c742a584f18d08eafa28213db9f113104f

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\image\sync-icon.ico

Filesize
4KB

MD5
eb6661fef0852d6ae1248b8ec6ebace7

SHA1
ffc444b0105c2186276f724ac6871adc42109051

SHA256
4bb0b543b767c2db27291d772047aa45487d7cbe55f6ee51abc76543ccc4eefc

SHA512
6db0e2f33d73e942569d6936978f07581e203250903824d05ae51702efaec48099092ad393dd1c07918b4aaccde7e3f9c35d8a028565239b648b8aada9c8dd39

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\window\envkit\assets\black_white_tips_zh.html

Filesize
6KB

MD5
0c01bab52cc7a8ee4246ae2b375ed19f

SHA1
382263f6144aa67a3fb225e73f2ea669f29dc5d2

SHA256
453e5be686aec3e6a397f8698662448449c9426e97e0384f5f74dd3f058d3bfe

SHA512
3aad6e7a486e96a2ed07dfb8c7133f1becaff0bf60a81eca003afc9ee501cd590addbc661a030e928f6fe544f1f3dfc2fa5c94bb145ef8a581dcdbfc50a8cd74

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\window\envkit\assets\icon\default_app.ico

Filesize
16KB

MD5
06d37c1aa942a7d357cf7ef055566b6d

SHA1
fd9f23a2508b8803be092fbd06e6cdbf9772482d

SHA256
b72bcb9d29c0f16149830af4c61672028e6253790cebe521802f432b7f5c3bcd

SHA512
e257015d13dfc8a89cced907abeaf391f504349a1748ea556428193185f5b03a4c3a697e37454a3877e5716d5702695a1e206447fdce94107c0de5f75342b949

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\window\envkit\env-kit.exe

Filesize
13.7MB

MD5
2c13a70e0b0baeafe8c9e04513ab13ba

SHA1
d9337d8a3fa48afd55d5a11fcafa8c256bb66159

SHA256
863928ac6f0b8199474fcf9eabfde9dea6a9eedc690022cc57a0c4379087587c

SHA512
774e8bc7249d1d9554022ed2cafd130a780486f06e066a03cfc5f1735eccf4ebd6686aba45f7b75ac3ccf6bdbb23e8ec25103df477e874e757ea580e5e2f6e25

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\window\envkit\envkit-net.exe

Filesize
34.4MB

MD5
95171057d7f51c89b84b9744a90e905e

SHA1
41643e37c7c64715c84fe22b3fea315d6a44c0c6

SHA256
0a3e3e81145c78c4f3d14d7ecf298fefbd98f247a86b9cef6a7dcd475faee7f1

SHA512
bfb999c867410e6463d5d769bfd3c8e25b603c30c5d1effa54c3bb148e357ff5b3834793f59b92007b7cddfdeead1db03c6b719bb69805dee0128c539894331c

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\window\machine_code\x64\machine_code.dll

Filesize
1.1MB

MD5
6d1130f6e7af6059a7ae4d4cc030d43c

SHA1
05af7946a1726c286c3297da58206e74c7e30d4e

SHA256
7be67f1a2ea1283be93312bd7981febf29fda728dad6dc5857ceb439ff33a09a

SHA512
ca2b747f1b47fef62ba368d590eafbf6a7e006baf1b097bea29e5acbd04374fe99ee2ed85ec6e314d97f91c8813df84069754a7bf9870f9ce7d79bdb8a4275ef

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\resources\assets\window\machine_code\x86\machine_code.dll

Filesize
1.1MB

MD5
7444853563d23f0f8b186a215e81deb2

SHA1
73efd7d69792adaa49f341a69de9895c181ccf87

SHA256
ec4f4d1f6a0615fd7bcc34ca4ba15e40478429f6e8311c30aabbb138a45238b6

SHA512
bd47ad9472a05f001597ab56cf7976980efe5d24f4be81c3a4341933a403a389f4dfd1be1f5026169eaff8df48b11f9ab61432afd7a69748560bcd24bb087b8e

Download Submit
C:\Program Files (x86)\GeeLark\1.8.0\v8_context_snapshot.bin

Filesize
471KB

MD5
ee26bf167455be29ac31cb6dda8e2789

SHA1
04949945da321880cc35cf10810d6d51f4a28f47

SHA256
6c2148be5a6328534d52e2c9d718a4f8ec144acd653d15fa592b0f83ae52ae43

SHA512
e366a7ba3c2e11440294c91c904e3a65022a2514bf7949b4490290bd20a4bfbc4eaf566cc537ef5ce53a15240235fcaa20ddf644c24d7bda5771e090bef988ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp9200.tmp\skin.zip

Filesize
8.1MB

MD5
d65945d09ece98d56b9662f307ffdda8

SHA1
7745b237c2ec25bed633c4fe0e1891b9f5cb50de

SHA256
346adb8669d56ae66c2b8b0295504d68a63fbf71bf41b64d12a35b8495bb6082

SHA512
a82cc0adbe478b22574b8c8d6a9bdc706473071d675c089413a3264c016cd376c918bde0e2f3323828412e2b8d54511c9ccbfc1352d570954825df0d21f00a1f

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Network\Network Persistent State

Filesize
904B

MD5
b0be0bcbd9bd99d5ea380ccd743721f0

SHA1
8825a9f14a38cec5c8ed315009313e955c273ece

SHA256
829d28f2e8c756b73ab621e06f82fae4c197cab639c2b13606feb322a3025883

SHA512
0d84813668bf44f802f9c55877baf34c9498c6a849b83c721ba48630e000f22633cffbf9c0a299cabb0bb37518688bc2e8d290330fcb487a1fee1f8b65f6342b

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Network\Network Persistent State

Filesize
873B

MD5
ce5fc7a2ddcc0eaf08bd9b2803735b4d

SHA1
4f37b1163c0443e8e40012d1126378de053846a9

SHA256
53adb265be2e42c84f6da74aa6c5f60edf89610103a641e7f7e537d1a620bd51

SHA512
ec635df2c88283cb1903e45a7fe6ce78100d68c4d2452752dbb4ce4bb0612ec931e6e0f8329f27ff49eae7879a8a0825641cc085737ecdebeac08f3fa5f4c130

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Network\Network Persistent State

Filesize
904B

MD5
7abcd1be993d4c59a041698aa324b683

SHA1
e3e2163e942e6882ab248fef9645870e23cd8806

SHA256
a6f93f97d4ae96ccb01d4a2203264a45537f7cad4ffde96d180a8da4f03838aa

SHA512
024731bb087a0962ebe848d5a8b165ced083ae28cf80f52c5eb97071a2b61d3870e77ee8e335a22cb32d1d46d0edaad6b6656da96ef2cadcfb6b96c227205ee5

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Network\Network Persistent State

Filesize
904B

MD5
dd34f99785f733d03d6215b9fb1c316d

SHA1
4970dae410505e2f39d8636e97dd553b896d05ea

SHA256
b1c13957714b1daf85d301c1d8510385cfbdd57fda08e908ce7fb2bf796306b0

SHA512
8523a55ded5417e989d4c5e708fb5b5385937f301361d15109d2b179d7204ac4371512deaa01c340af400275e289e6f4d18e3948b459694e0a6d6cefd1c0fbb4

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Network\Network Persistent State~RFe5ac276.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Network\TransportSecurity

Filesize
537B

MD5
b8b67110a393795d31749ce5104b458a

SHA1
bcd9d993c9e21a4474aa4db7b606398584de5e0f

SHA256
623040cd9903903e5ebf166d7966469e7c75e6f1334a833e44d08ceaf6baa492

SHA512
a72134c2448d6b048c69572040526cd76027f90a2ad199c636267fc1390ca0c7f14bf412bf2925decee7ae644706cf6848c7e9d7a3262de29608390730a1ed41

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Network\TransportSecurity

Filesize
537B

MD5
13f68eb6d5ab0f166b57ae7bec2869bd

SHA1
72b94b0fa0ace077f3b42bcc7eac3135292122cc

SHA256
d02319a9410eabcc30364fc9374be5f3ea77627108e404be3f6227654b7e1ac0

SHA512
0a4a46307b64f6e072b5c199460696fd81bbd85d78048741565c05a0c543354dbdd467f28de751ab7c2cf365fd4f4903254f1dfd797bd27d8c9688e8def3e74f

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Network\TransportSecurity

Filesize
370B

MD5
7cbdd30a77b095c54c6a9553a204448e

SHA1
fe0defafb5337b84879a42ae4e06143591dbfe6a

SHA256
68ac310e1461a8e31c3802be2e2cd48666073ac1c91a2f35a43640db89672ee0

SHA512
f3b86a787f1f077a5024737e3ba72c03a082d584316c127a1e5bdfaab68599bc90658a8d420d2740f5239a6b6cc3e46efd51847ff7e77d3e31d93f8fa181136f

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Network\TransportSecurity

Filesize
537B

MD5
fa388b29b4da80509f5c158c5eac70ab

SHA1
d117eb20ddec8b356c029344fff4b9871c062e77

SHA256
9262810b754010f44a6acae288b3faea2e3ca485ec737a5c48e8fbb00c4930b4

SHA512
dac5c76ee9952f708108c1019ba1200d4e842e0a2c7bb51983dd851b914ec87c5d47d2a432cf85f242895edfd4b8b43062359d7e7fdd620e43d4e209ecbd767f

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Network\TransportSecurity

Filesize
537B

MD5
ed475a666294192c5265e7f673c4201d

SHA1
ffcd6879f13e00002dda8854a9df9b43bdea4e22

SHA256
7eb5b0f13305fe31884ae4f161e3d38b88594e933e53d2c34f6f21a97f08c82d

SHA512
1a1cd5b62762b665442db9d38f96da9f4c3222a4a6a4966af1eea39e1cfd8d34204749026f1cdbd296e4ce9ea8f0cccfa700621f2084d03e84748de8321e228a

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Network\TransportSecurity~RFe5a21c2.TMP

Filesize
203B

MD5
6c13930a63116a37af8f597ee3f83bca

SHA1
61115b18e97183665230ce76f19d46b39509b86e

SHA256
cca1897ff019f78567a9b215b38662098c7f9fb1996be6b1c58df42080f3db36

SHA512
8cb24a42acdd8861c7b09e0259ecc5fe1531d7a229b1f3245025c2a0321e22aef915d6a0212e9f0c794e4a324ef080ce838c7d1668638195a0c40c8263f1917a

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Preferences

Filesize
132B

MD5
461a4a12225014d50f3150f1a6826883

SHA1
a24947d827fef5c0e8d1477c0aec7ace2e256c8d

SHA256
51e4c89d0bc46da470db4fcf485d6278a0b092c33c9e51bd6cbdb0b104c52fd1

SHA512
f6baef37db8e29bb508a428ad4b79ab2c61bdd349d97043fbcd490c0c4b54b22bf9f89f7c896cb0d791368c7a9724b79024944e7e3de5af0f602bb956ff45299

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Preferences~RFe5a6da0.TMP

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\config.json

Filesize
65B

MD5
719262c68fd354ac2f22304d85ac4891

SHA1
69b3640c4217853bcafae112bb9026219766514e

SHA256
0bbd16c2e3d7b84e6b4416d56c8109ffd79c9a454505d4283db7a003a5e11250

SHA512
ef24a4e1360b21c04d7f5fe0eccf925080cef63e02d27ecbbfd6b7c19e171d00494cff9c251d1721763b04c6469f95ce4f581c9836a175d3c60fd00ab75a71df

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\envkit_sdk\envkit\assets\black_white_tips_en.html

Filesize
6KB

MD5
56d0944c954c51de7b3492b8c866d82c

SHA1
012f75624cd49c053af272df942f6f2bb571e283

SHA256
aa27bb06e88689c47148ea1823e0d8384ec7fe3e99004056d965176641f10647

SHA512
63f29b658f4a0c0113a95ac8bd26a882d86c3267ffb47b9fb4b343fa0461633f269d0be0093f0947298926b4b135cde6cc3dc6d808589266d947e77907936ca6

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\logs\childProcess.20240819.log

Filesize
108B

MD5
959370e05cd7e9f0f711549c87ded785

SHA1
62e6a9c1f53bd0c7024756043ca9dbe4e2659134

SHA256
4fb0df239c9ead450b28a6af86fd6e7a3c4e22ff200877552eb542c1413333fa

SHA512
594261da162fb2c75ce3049ce19465c8f99a7f6c135c9cd28153e2875bd56f8c8aec178e73a97c7873be01b6df1f33481f8f15a89f4148a52540fb0817171170

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\logs\main.20240819.log

Filesize
1KB

MD5
5062d2871d136c72b01bc0e1fa72de14

SHA1
53816c60892ecedf6beb9eb3686fde21b55566a1

SHA256
1966766614b0f113742120d57c2914672847defcb53bf244af507eaba4c83949

SHA512
1d27b237d39e57f3f79f404bae67d5c51dce8595947772aaabdf8ca5121ce6d13c58d727ec263e56dc77ed1be753fe147d7e64247bc8c2038ce3099c9591909d

Download Submit
C:\Users\Admin\AppData\Roaming\GeeLark\logs\operate.20240819.log

Filesize
19KB

MD5
4d6cbcb3d105b48c9f9f19bc38750ae2

SHA1
073ee4e600d2ca78d565791680e7022d74aa2f0f

SHA256
eea85cafcafe86b3a3532e6e1e9bf9870474842e7f67bbb17269bf19600631a7

SHA512
63828619682c3ca2cadbf84c42bdfd09b48b53b3f53c14871d78907e1aa7f68eb5068987506c37ec77a4c3e7256c13ec9ac47f34297b14a8b1c7c64328509ab7

Download Submit
\Program Files (x86)\GeeLark\1.8.0\ffmpeg.dll

Filesize
2.6MB

MD5
7dc4326d8489889449aae6383b4ed7b5

SHA1
7ae7b5b71a8492dfd67dffd1bf17581f8f278aa1

SHA256
b37bf925707dadb7ae1d6756534ee798a9ca0aa354f9cde74c2d9a40f7e47159

SHA512
1d1ccbc30b4bcd407b2580f9065f7dcf7d59cef2fd54e630c8870bac7f57243c0a3624d36d75ec134cc91a46a97a05b5aabe3cb2fa85de7fcef75a44b2bbcf5e

Download Submit
\Program Files (x86)\GeeLark\1.8.0\resources\app.asar.unpacked\node_modules\clipboard-files\lib\binding\electron-v22.3-win32-x64\binding.node

Filesize
120KB

MD5
1a8e7321a91f4b51c8713ba112f2246f

SHA1
da12a0499c9a6379f4a3e7d381997c4e5bfe3f8b

SHA256
3ee3140fcdb146d2cafdd197864260fa74b8eaf9193e25d48be48a84b15009f6

SHA512
1369e35897ad25893ad0961502f4e98dc80b79a192429758cfa6a8eafbc517c6d0ee12f941c87f378e4b361fc42c79c0cecbdc699fc856fbf3ace00ef5484f14

Download Submit
\Users\Admin\AppData\Local\Temp\nsp9200.tmp\AccessControl.dll

Filesize
15KB

MD5
f894e7068ee5f5b4489d7acdde7112c9

SHA1
79ec857791ad4ac76673b05e6fc44e55315424ef

SHA256
3948484bc6a6e8652c2220be411cdcabab73eab46578faca8c0bd01d3ea290ab

SHA512
e85b2bdc27b9721425bb03393e8aad897647053c77d7862ea541e03dc896173af6eaaf182514d46464d560d15c6b9d4652690885426ac1c68e2b9dd8d632e816

Download Submit
\Users\Admin\AppData\Local\Temp\nsp9200.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
\Users\Admin\AppData\Local\Temp\nsp9200.tmp\ExecDos.dll

Filesize
6KB

MD5
774e3b33d151413dc826bf2421cd51e8

SHA1
ab2928dcf6fa54bb9eb16e5f64bfcffaaeee90fa

SHA256
91d5481f576382164703e4ac244052265769377838ac30233ad79c983ed9d454

SHA512
3cf955b13e81e4b6edb292df751ce7f64b0cf30979f57b1609f002859b4e68adc046b6674f76f7b7ce7144382316c344c11fed02d638e62fcc8464c32795a365

Download Submit
\Users\Admin\AppData\Local\Temp\nsp9200.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsp9200.tmp\nsDui.dll

Filesize
978KB

MD5
d849863515a4c3523e0004b564c1687f

SHA1
4c3d695dd29cf270df61d243617b3fcda8b91eab

SHA256
94b322b80d30db8dfa96104b65006e24501748c1a22c1dac8c7f1aed0cfa5439

SHA512
dd7a902bc4d37b3cda59a58bd86ffa7ffc8592677c6cf0c8f11bea2443adc52f68609ced1ad63eb5b09b6861ca03a11cd388a484b0bb5c468adea01eef765662

Download Submit
\Users\Admin\AppData\Local\Temp\nsp9200.tmp\nsProcess.dll

Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
\Users\Admin\AppData\Local\Temp\nsp9200.tmp\nsSa.dll

Filesize
180KB

MD5
b7aaaf7089faa91ede67d45b62d970cf

SHA1
dd127e1937b0c164d1b6c2dfbbd262914c216e3c

SHA256
142586b600a8b62f2a754b2d88a7412d971896a5559d17078cf05c030511e314

SHA512
ad89f270d65197ce305531c1d6b14fa7565bf899f92e329cae7ab4d7a06415985774507c96737b4d57b772abb5c8288e0abf43c4c21f6bd55aa654d35b3e2beb

Download Submit
\Users\Admin\AppData\Local\Temp\nsp9200.tmp\nsis7zU.dll

Filesize
313KB

MD5
06a47571ac922f82c098622b2f5f6f63

SHA1
8a581c33b7f2029c41edaad55d024fc0d2d7c427

SHA256
e4ab3064f2e094910ae80104ef9d371ccb74ebbeeed592582cf099acd83f5fe9

SHA512
04b3d18042f1faa536e1393179f412a5644d2cf691fbc14970f79df5c0594eeedb0826b495807a3243f27aaa0380423c1f975fe857f32e057309bb3f2a529a83

Download Submit
memory/3620-3042-0x0000000071690000-0x00000000717B3000-memory.dmp

Filesize
1.1MB

Download