hxxps://github[.]com

max time kernel
159s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

GearUP-2.4.3-win.exe

description ioc process

File created C:\Windows\System32\drivers\hostpacket.sys GearUP-2.4.3-win.exe
File opened for modification C:\Windows\System32\drivers\hostpacket.sys GearUP-2.4.3-win.exe

description	ioc	process
File created	C:\Windows\System32\drivers\hostpacket.sys	GearUP-2.4.3-win.exe
File opened for modification	C:\Windows\System32\drivers\hostpacket.sys	GearUP-2.4.3-win.exe

Executes dropped EXE 13 IoCs

Processes:

GearUP-2.4.3-win.exe7za.exelauncher.exegearup_booster.execrashpad_handler.exegearup_booster_ball.exegearup_booster_render.exegearup_booster_render.exegearup_booster_render.exegearup_booster_render.exegearup_booster_render.exegearup_booster_render.exegearup_booster_render.exe

pid	process
5232	GearUP-2.4.3-win.exe
4124	7za.exe
4044	launcher.exe
6128	gearup_booster.exe
5928	crashpad_handler.exe
3328	gearup_booster_ball.exe
3460	gearup_booster_render.exe
5260	gearup_booster_render.exe
3804	gearup_booster_render.exe
5052	gearup_booster_render.exe
2140	gearup_booster_render.exe
5752	gearup_booster_render.exe
1620	gearup_booster_render.exe

Loads dropped DLL 30 IoCs

Processes:

gearup_booster.execrashpad_handler.exegearup_booster_ball.exegearup_booster_render.exegearup_booster_render.exegearup_booster_render.exegearup_booster_render.exegearup_booster_render.exegearup_booster_render.exegearup_booster_render.exe

pid	process
6128	gearup_booster.exe
6128	gearup_booster.exe
6128	gearup_booster.exe
6128	gearup_booster.exe
6128	gearup_booster.exe
6128	gearup_booster.exe
6128	gearup_booster.exe
6128	gearup_booster.exe
6128	gearup_booster.exe
6128	gearup_booster.exe
5928	crashpad_handler.exe
5928	crashpad_handler.exe
6128	gearup_booster.exe
6128	gearup_booster.exe
6128	gearup_booster.exe
3328	gearup_booster_ball.exe
3328	gearup_booster_ball.exe
3328	gearup_booster_ball.exe
3328	gearup_booster_ball.exe
3328	gearup_booster_ball.exe
3328	gearup_booster_ball.exe
3328	gearup_booster_ball.exe
3328	gearup_booster_ball.exe
3460	gearup_booster_render.exe
5260	gearup_booster_render.exe
3804	gearup_booster_render.exe
5052	gearup_booster_render.exe
2140	gearup_booster_render.exe
5752	gearup_booster_render.exe
1620	gearup_booster_render.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

gearup_booster.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GearUPBooster = "\"C:\\Program Files (x86)\\GearUPBooster\\launcher.exe\" /silent"	gearup_booster.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

gearup_booster.exe

description ioc process

File opened for modification \??\PhysicalDrive0 gearup_booster.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	gearup_booster.exe

Drops file in Program Files directory 64 IoCs

Processes:

7za.exegearup_booster.exegearup_booster_render.exeGearUP-2.4.3-win.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\en-US.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\ja.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\mr.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\ta.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\api-ms-win-core-processthreads-l1-1-1.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\lsp.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\wfp\win\x64\gunfwfp.sys	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\wfp\win7	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe	gearup_booster.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\tap_driver\i386\nw_tap_0909.cat	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\tap_driver\arm64\OemVista.inf	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\gearup_booster_render.exe	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\api-ms-win-core-synch-l1-2-0.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\widevinecdmadapter.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\shence.log	gearup_booster.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\lv.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\d3dcompiler_47.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\libcef.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\debug.log	gearup_booster_render.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\th.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\gearup_booster_ball.exe	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe	gearup_booster.exe
File created	C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe	GearUP-2.4.3-win.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\fi.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\tap_driver\i386\NW_TAP_0921.inf	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\libEGL.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\wfp	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\debug.log	gearup_booster.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\ucrtbase.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\ml.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\ro.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\api-ms-win-crt-math-l1-1-0.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\api-ms-win-crt-utility-l1-1-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\UETSdk.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\wfp\win\x32\nwwfp.sys	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\bn.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\sl.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\crashpad_handler.exe	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\update.exe	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\browser_d.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\openvpn.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\ca.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\he.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\tap_driver\i386\NW_TAP_0921.inf	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\api-ms-win-crt-filesystem-l1-1-0.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\browser.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\browser.dll	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\wfp\win7\x64\gunfwfp.sys	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\el.pak	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\de.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\it.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\lspinst_x64.exe	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\wfp\win7\x64\gunfwfp.sys	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\wfp\win	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\local_proxy.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\hr.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\cef\3.0.0\locales\sk.pak	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\launcher.VisualElementsManifest.xml	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\tap_driver\i386\OemVista.inf	7za.exe
File created	C:\Program Files (x86)\GearUPBooster\9155\api-ms-win-core-localization-l1-2-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\host_dp.dll	7za.exe
File opened for modification	C:\Program Files (x86)\GearUPBooster\9155\udp_connect_lsp.dll	7za.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

GearUP-2.4.3-win.exegearup_booster.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\gearup_booster.exe = "11000"	GearUP-2.4.3-win.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\gearup_booster.exe = "11000"	gearup_booster.exe

Modifies registry class 7 IoCs

Processes:

gearup_booster.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\URL Protocol	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\shell\open\command	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\shell	gearup_booster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\shell\open	gearup_booster.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gu\shell\open\command\ = "C:\\Program Files (x86)\\GearUPBooster\\9155\\gearup_booster.exe \"%1\""	gearup_booster.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{2F803EAF-B5E8-4CCA-BA47-63522E5C6291}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gu	gearup_booster.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 615592.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 615592.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exegearup_booster.exemsedge.exe

pid	process
988	msedge.exe
988	msedge.exe
540	msedge.exe
540	msedge.exe
4356	identity_helper.exe
4356	identity_helper.exe
6032	msedge.exe
6032	msedge.exe
8	msedge.exe
8	msedge.exe
6128	gearup_booster.exe
6128	gearup_booster.exe
2656	msedge.exe
2656	msedge.exe
2656	msedge.exe
2656	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7za.exe

description pid process

Token: SeRestorePrivilege 4124 7za.exe
Token: 35 4124 7za.exe
Token: SeSecurityPrivilege 4124 7za.exe
Token: SeSecurityPrivilege 4124 7za.exe

description	pid	process
Token: SeRestorePrivilege	4124	7za.exe
Token: 35	4124	7za.exe
Token: SeSecurityPrivilege	4124	7za.exe
Token: SeSecurityPrivilege	4124	7za.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

msedge.exegearup_booster_ball.exegearup_booster.exe

pid	process
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
3328	gearup_booster_ball.exe
6128	gearup_booster.exe
6128	gearup_booster.exe
6128	gearup_booster.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

msedge.exegearup_booster_ball.exegearup_booster.exe

pid	process
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
3328	gearup_booster_ball.exe
6128	gearup_booster.exe
6128	gearup_booster.exe
6128	gearup_booster.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

pid	process
5232	GearUP-2.4.3-win.exe
4124	7za.exe
4044	launcher.exe
6128	gearup_booster.exe
5928	crashpad_handler.exe
3328	gearup_booster_ball.exe
3460	gearup_booster_render.exe
5260	gearup_booster_render.exe
3804	gearup_booster_render.exe
5052	gearup_booster_render.exe
5752	gearup_booster_render.exe
2140	gearup_booster_render.exe
1620	gearup_booster_render.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 540 wrote to memory of 4880	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 4880	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 2376	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 988	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 988	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 1280	540	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa3f246f8,0x7ffaa3f24708,0x7ffaa3f24718
2⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
2⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
2⤵
PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4016 /prefetch:8
2⤵
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
2⤵
PID:2804

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
2⤵
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
2⤵
PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
2⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
2⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
2⤵
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
2⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
2⤵
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3596 /prefetch:8
2⤵
PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3432 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:6032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
2⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
2⤵
PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
2⤵
PID:5720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
2⤵
PID:5940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
2⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6168 /prefetch:8
2⤵
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6440 /prefetch:8
2⤵
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6944 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4752 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
2⤵
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
2⤵
PID:5820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13960206779511579627,4520996037533250858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
2⤵
PID:1032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5944

C:\Users\Admin\Desktop\GearUP-2.4.3-win.exe
"C:\Users\Admin\Desktop\GearUP-2.4.3-win.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5232

C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe
"C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe" x "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\gearup_booster.zip" -o"C:\Program Files (x86)\GearUPBooster\" -aoa
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\"
2⤵
PID:5816

C:\Program Files (x86)\GearUPBooster\launcher.exe
"C:\Program Files (x86)\GearUPBooster\launcher.exe" /install_shortcut 1 /install_autorun 1
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Program Files (x86)\GearUPBooster\9155\gearup_booster.exe
"C:\Program Files (x86)\GearUPBooster\9155\gearup_booster.exe" /install_shortcut 1 /install_autorun 1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6128

C:\Program Files (x86)\GearUPBooster\9155\crashpad_handler.exe
"C:\Program Files (x86)\GearUPBooster\9155\crashpad_handler.exe" --no-rate-limit --database=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry --metrics-dir=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry --url=https://sentry.guinfra.com:443/api/30/minidump/?sentry_client=sentry.native/0.5.3&sentry_key=e59bef2d0cf245eaa0d97f08c5eab5fe --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_proxy.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_tun.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_lsp.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\ccc56415-b255-47e0-07bc-c238fb205d68.run\__sentry-event --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\ccc56415-b255-47e0-07bc-c238fb205d68.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\ccc56415-b255-47e0-07bc-c238fb205d68.run\__sentry-breadcrumb2 --initial-client-data=0x460,0x464,0x49c,0x468,0x4a0,0x73c45160,0x73c45174,0x73c45184
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5928

C:\Program Files (x86)\GearUPBooster\9155\gearup_booster_ball.exe
C:\Program Files (x86)\GearUPBooster\9155\gearup_booster_ball.exe /main_form_wnd 328440 /show_flag 0 /pos_x -1 /pos_y -1 /version 9155 /client_id 668133acc07c031778c15e29 /gray 0
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe
"C:\Program Files (x86)\GearUPBooster\9155\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --primordial-pipe-token=AEDE5517E073697513C0720C9C62E65F --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9155\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=AEDE5517E073697513C0720C9C62E65F --channel="6128.0.1938701461\677606506" --mojo-platform-channel-handle=3984 /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe
"C:\Program Files (x86)\GearUPBooster\9155\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --primordial-pipe-token=EA005075097EE091CAD8E28FE348FCCE --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9155\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=EA005075097EE091CAD8E28FE348FCCE --channel="6128.1.1877601195\1385330204" --mojo-platform-channel-handle=4892 /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5260

C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe
"C:\Program Files (x86)\GearUPBooster\9155\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --primordial-pipe-token=F3D9C2E1A305613D67D6F09DC15BA74A --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9155\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=F3D9C2E1A305613D67D6F09DC15BA74A --channel="6128.2.805882726\366490794" --mojo-platform-channel-handle=4896 /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3804

C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe
"C:\Program Files (x86)\GearUPBooster\9155\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --primordial-pipe-token=B81FFE2108648DED3B24730699D3A78C --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9155\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=B81FFE2108648DED3B24730699D3A78C --channel="6128.3.1043561616\544510924" --mojo-platform-channel-handle=5044 /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5052

C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe
"C:\Program Files (x86)\GearUPBooster\9155\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --primordial-pipe-token=799486D4BA6D3C616E8D8FDF4EDB627A --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9155\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=799486D4BA6D3C616E8D8FDF4EDB627A --channel="6128.4.1585889129\1256293316" --mojo-platform-channel-handle=5456 /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2140

C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe
"C:\Program Files (x86)\GearUPBooster\9155\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --primordial-pipe-token=2B88759CF091DDE0CDF7062C9F39558C --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9155\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=2B88759CF091DDE0CDF7062C9F39558C --channel="6128.5.1339048886\985299888" --mojo-platform-channel-handle=5452 /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5752

C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe
"C:\Program Files (x86)\GearUPBooster\9155\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --primordial-pipe-token=39A9182D0E74B8FC29EB6A9AEE4A3100 --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9155\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=39A9182D0E74B8FC29EB6A9AEE4A3100 --channel="6128.6.941354670\1802700885" --mojo-platform-channel-handle=5496 /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://win.booster.gearupportal.com/login/facebook/RPGQuwIw90cjzULhCZbQ3E3M78Uyjjo8mWEQg7QXMkKj0WRP8sv3HDKBlijG4rGC/
4⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaa3f246f8,0x7ffaa3f24708,0x7ffaa3f24718
5⤵
PID:5056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x4f4
1⤵
PID:6124

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GearUPBooster\9155\VCRUNTIME140.dll
Filesize
88KB

MD5
81b11024a8ed0c9adfd5fbf6916b133c

SHA1
c87f446d9655ba2f6fddd33014c75dc783941c33

SHA256
eb6a3a491efcc911f9dff457d42fed85c4c170139414470ea951b0dafe352829

SHA512
e4b1c694cb028fa960d750fa6a202bc3a477673b097b2a9e0991219b9891b5f879aa13aa741f73acd41eb23feee58e3dd6032821a23e9090ecd9cc2c3ec826a1

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\browser.dll
Filesize
38KB

MD5
1360c1d67a865ba1f6085e2246f42677

SHA1
ea3eca123552859a8ef4bd0c2db133acda97c300

SHA256
9c25f4fa25116542a9c16d94ababec450c6184c6e8bc3cd90f3d9dc4ed5bcc39

SHA512
64c290db722c28cd613cf0674d0fccbc54b1b9c5338b59cecaa2cea1d78ec061793b12eb2289d9b901f84b91fac85b9a6f974e3ca751ac31f788d859a7bdae07

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\crashpad_handler.exe
Filesize
853KB

MD5
5a243339440082631749f4bdff283bf5

SHA1
4c3512320b1b3c05ce265037a37aa3f16d3cc57c

SHA256
80d4effa417d43821a0a0ee967a290836501edd4b6057f033c7ebc449badd150

SHA512
c0b889a819ac5cc6904caeb37e504e6a50d33e49a0e6fb6bdaf8e372190c9bca021017103a7dfcedf7e2c8d9c6a1f3eef103cdf389a5f6bb9ff71f03783ebe24

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\crashpad_wer.dll
Filesize
36KB

MD5
e161e5dd4c57dbb72ef46cd60ac7c8b3

SHA1
7889c0cd22720bb76195bb8de0b77ebcc8068d57

SHA256
e4a2295cff0949d9f0a646f36d7fbaa40fefdbf5958d21b091f95d9c96c345d5

SHA512
d08200a5535cfafac52a0fc16b5512863d6d8d70514bd8cd3324451c47cb5cd5d5592c3ac1440308f52d4142c1551a891a1d4ea7332159b2f4c5bd249b6fd100

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\gearup_booster.exe
Filesize
7.7MB

MD5
65b9b5f31e8219bbd995417fe3c4b415

SHA1
9ea7a4babab60964aba8816afad647670389513f

SHA256
05a21a10bbb7b46ae2a3e296501de6347ddc9d204ea9afb2056ecd13ced002dc

SHA512
31d58e7de70e5df28a67a518d10995ad6590d91f57be6aee03f2c7a93bf71f4bb6d5822e1e7d43f8c860d71cfa5a8e237c8dda0fde8e6d20751e80365b66501a

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\gearup_booster_ball.exe
Filesize
1.4MB

MD5
68d00dfd9a92e1031115d3132f529d71

SHA1
2b02cd13314f42b105d7fa1d2cf45ebbc1c6c756

SHA256
1a2bee6f9ff35f69a9c0c503c3449fc6beb258b0c7f69a3634419139ac876b79

SHA512
49676ddccdc364e752e7783d07ac70b262a45cfd2290876c26b2643efe05546bc6d9909bdeaa1c15353891f1a0a543bf1630b1990e02fcee8827842197dcc112

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\gearup_booster_vpn.dll
Filesize
33KB

MD5
9a4e4b68a7d9a48781996212828dbd5c

SHA1
cb64a4e2680226455caf50505b9db397df22f2e6

SHA256
435b04e9f1692558a52e906605c12d00fd65199b2ddc36e853645e61174e6c20

SHA512
b58a078f713c99b9f47d28e40cf051f85bf70f20348e8a6fdd4e330fa92a51fd3241807eab07ad5f74cfcd23276f531d6b15688b5bc463806a70f230fb47c67b

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\hostfp\64\hostpacket.sys
Filesize
37KB

MD5
5ac815ad2f4386140fe4c7eef3b06233

SHA1
6dd0e26f3c447602109253a7eaad59064c4162ca

SHA256
08d86eae497df069ef9e6525e9513a019ff7a9971780c1987fde858d51f4ed66

SHA512
98cf60aceabadc078e00ad1e274028714f7bbf3c86f0522ab423d50231156a2513e8cc1946b242c64af7287648e6d4ba5e630824b4d83134c471689db42fbbf5

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\lunasvg.dll
Filesize
344KB

MD5
45edee8d5b3f30f280450edfd2a0d7e3

SHA1
426cd368ffde347d5160bbd8de7ce492f441590b

SHA256
99410178464567de43b0a77cace66b8a4c1531618008604dc6b04741fff5fbd0

SHA512
40d95f257b28de69956a1d3c00cd10aab9e5d01484cb30e4a6c010001ac3cdc2264128829e9a91f2218a92b3dd86f31f94d0cd2eeb86acd1fa9c17f09c77b71d

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\msvcp100.dll
Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\msvcp140.dll
Filesize
432KB

MD5
a6b18a2772631cdd06f95b19d66d2d4f

SHA1
c342250efab725f643e598f49d1710c74f78d022

SHA256
76cc277b564e69e35a0d9c440f013a52b5d25f43ba42fd0099d6fc1f05a6ce16

SHA512
f98e07c1b92ecfc662021e33486b660942de390b8e947126f304adee911da0574d6cac416748f6f03e6cce981737eb694fb3d2bcd80e1e207eba91a44b5f23e5

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\msvcr100.dll
Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\ping.dll
Filesize
737KB

MD5
f6d2eb976262c38807a6360400cc7426

SHA1
c2c74cc82d3910942902d6a3c34b049ff1dac8f4

SHA256
64694d15976d2725fffe371f10c5c9203963da1d6784f7fc2873a89c4171e80d

SHA512
0a233d2f87507760d3a61f3b1acd626eff89a961a37802fcd1608e5079def33bcd47c61c6c2a6e58d8b17d98eee71263ff0076591c251d5b3374dd69383a17d2

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\sentry.dll
Filesize
426KB

MD5
bf9002bf5c878cdca749025a5f875d6b

SHA1
e916d3121706dbd1ada335b414e4601373b86ef8

SHA256
4d9af7c5442387ed91671d2f0360eb6cba3baa3c706b8f6b898d3018b8c7fb05

SHA512
34873e1bd9c077046469db3a2176581aea162933c39c51f1ded462030fb2238a93b3d7e20ff14a497be42e019f2f23add141d98b662b395618bf69ed74a90a20

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\skin.dll
Filesize
12.1MB

MD5
eeab6bf7b91f63905b4403415af6415b

SHA1
4c6fa62c41ef9441cae4d9aa37b9735474e7ba1b

SHA256
f8183accf12862f017180459a1a72cc3d530e7593c71f109cb814ace51462a75

SHA512
6236e0534ffc5004e4caf351db3242ebfa93d4ab46d583b893b75998f418b9ab7a75d049b6e037b9602ddcf791e432b107e64208443e7087eb83fce54b22d42d

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\ui.dll
Filesize
1.1MB

MD5
8256d3f4b3fd1eecac8ebd4966bc1d09

SHA1
846197d00035e873c5a10e52e8ce99bfb10a1eb8

SHA256
ff1cfc47aa9fd35610bde13e00cc71e5b16db15b5ba0e3428b19036020945e70

SHA512
f554b7003ba7f3c910e863df197dbbcca664a1946852e4f16571558866207b90989d24da1211428daf7407b4c129e579181106cdbc77d91af91f822b1f9249f1

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\uninstall.exe
Filesize
2.1MB

MD5
00135bef1ab04611975e87cf59c9b866

SHA1
4ced109784ac42df55452ebeb92dc377ed46239c

SHA256
9e7535baaa9e53830eac7eaa37e54ebd1511797978c5c6fca61d6fb805a4e761

SHA512
3d0d8d28eb0f574d6892a7b9b2b0e9a0e4ce1943ffefd1267cb471a17d9cc2e41f1e941bfee89be36b13f90c10fb2d2bc5a84b7ab6a3a5d5c2b6c2e14910c5e0

Download Submit
C:\Program Files (x86)\GearUPBooster\9155\update.exe
Filesize
2.2MB

MD5
d53a5d4026a225ef30fda64ab61da9d4

SHA1
37557cb623b046a36e20001048ac49e9b3ec3ac5

SHA256
eb51d2eee7bcc6839c52504205eeaeb9dab1eac318e725586ae824d14c899a5a

SHA512
ac37d3e80bc865cee829c6ad31bdc946ed6f000a08041a1bcf86a66fb3c83bf03696e68c511d1ea71d4f03a72554c992123feeb3682d7f9d5899f430431fb704

Download Submit
C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe
Filesize
589KB

MD5
c6d72642721e84d227defc3ec4ab12e6

SHA1
3709a7c3cc795a0012adc6ccaf82a93628703518

SHA256
0cc0de83b51dae55a4fcae559defc87bea8448010d064c316abcfe9459ece035

SHA512
fa2c8b9fa34b190be45fc363f4760603cb6a389bc01fd617a1861ac709eef5e5dd42ea3d5524a1660ea8202dc17687265cd9bb87f5b4c9a9cf714744a8489389

Download Submit
C:\Program Files (x86)\GearUPBooster\launcher.exe
Filesize
921KB

MD5
ffda1f7fbe1d583392297d76c5676b48

SHA1
e37229940a14f16c0d7988a01660b86d34ddd5bf

SHA256
77fadce88805497a5fb83fe29c9c4a46b5160acd2d09bc90133314529f365868

SHA512
4edcf775e4cc1e53fca84b0ad68e9e826b0b379f0675390671c87433d9db2ac1e5fc8a1a330bd2d4300c6cdff3990f051e586d32d155930deb2cb23292a345f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c5abc082d9d9307e797b7e89a2f755f4

SHA1
54c442690a8727f1d3453b6452198d3ec4ec13df

SHA256
a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716

SHA512
ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b4a74bc775caf3de7fc9cde3c30ce482

SHA1
c6ed3161390e5493f71182a6cb98d51c9063775d

SHA256
dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280

SHA512
55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
3cbcec883462b1cddae9b74d6a152d39

SHA1
b3f83005264de8920bed0b5e7235f2b611a03086

SHA256
76145042f207afc76c097adc61c4b26b176e14337ce4e0f8cb7f230bdca7b02c

SHA512
f6d4ec85df31460371c2e64fc2c68c9d4e1bec5a8700feb8e752f43cd41f3909990c8c7e9c139ac8a8a11ba9df648402ddffceda91bf2b860401364c1c9150f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
444dbf5ccf5feaced027d8e1d7f642fd

SHA1
6c921bcf517e4d101d7f2ce9fa87d97c72902bd7

SHA256
b3571791bf85e309beaf2aa04a50203cb637bc393ee4e9022e04dc05256da445

SHA512
6bd143f0f125ac90a083281cc5867882b6ff0dae65d675823175fe23c871a81abc2307998b755ee5558d1ee372f802b99207fe1c1e64f29206dc47088931d399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
f2d8cc0e8e05de296a500bc78f9c8eea

SHA1
f224e61cd84437ae3b2d19134c180a68733961b0

SHA256
fba6c4c4bfa65390a8bb8d3dfb2d8d528113a290b1efb7bf3b047f0a2b6f28d2

SHA512
2f777eeeb592e7e75589742bb91947a7212b59b96cad0d0fae981e7d0a834aff564e534111229399fba33f79c31097c973b18febf68eb5ed20cbe8795ee4112d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e895041ad43eec29067b33112b7110e7

SHA1
ba43cb91e94d19ea9ea607145db4918ffe5d5679

SHA256
e6f3be99b37ff5aec378c04dbd989d7c11113cbfd6c193dade565daca59f34bd

SHA512
9380a1e75f0428a2637da697a82bd48741d29b6eec72ec47634fb25d44dc8c1b26b2572a1cc488e8370877a99f3ebb176a070baa35c6e80ea2f1828217f6e544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
1018dc713aadcdc90aa3353f4bcecb9d

SHA1
afb6dbb37e98624b393fc92959d0621a5f363d5d

SHA256
eee07a97d7e333546058ae6065e1de9eebd0ba0886cd7c11408914d45f174978

SHA512
df5197cd894ead2cd82a4affdefcce91ef2b3eb367e0de7d3a8698412d1a2728381cba111ca0a3163c87ae021865e1f9d6edae16cb5573efc64c9f7e54d85bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
d6673168c4ec6b29214b80ef45aef3a9

SHA1
9086b05ba50463f417fd41aeea8de88b6b3f0dc9

SHA256
a8e9d9b637b53c00d31bb2b92e54bb3fcb10aa5b48aef6c9100eefe2f222696c

SHA512
163d0b2ef2f98c9b38455a0bd0889a463b7239b2351b1f74a9ee69f96d23cd970a1a10725ad5280738ff7f6864d440cc00f66d72abd970b15051e3f273398d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
3a76a149bd414ebcaddf9e5e250bb346

SHA1
caff04b37769dee8cc0fbedee03b01075e1fbfe1

SHA256
270a43a4dbab78fee174dd3e805106587b67e77d91727556f78cc704fe941766

SHA512
c9d523e51ea078f78baa34c6f3b352fac1fc924004f77c06dd8559b549b05541b41f33363c6002e89b98febedc26012ca734702f3176dc4df797cd5c20ec0ff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
318d8e1721b507f4e4f8cf9425745e14

SHA1
41643f5e7c089ce40e250cae776992ae3dfaee41

SHA256
a109f82aac11a3fc0a3e744245a2da49901749b41c0df4bc8ecb2e57236284f6

SHA512
ea2d927c3f5d7aa3d95c5dfcc34db7dd4f0235ab2868c4321627c412153896c4b513e7c136a130ab8c1c9563a51733f831fd2e329ab499fff3d9f37a65eccfe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
476951fd84feec1c10a311c79fbded96

SHA1
4e0c0f796dc6da19da649d5e6ef93cf8cb830389

SHA256
ec9e94d8612bb79ddd63b8424128a2e314bf558fd31e029905a76b4bf2489438

SHA512
c701b00e3d18e6466b4a2a2b06701c5b53fd720b062ebe96b400266be20631678dfb253ab6a0054522476e591632300ee4ebef3ea7f9c0e23ac2145b93c9b495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
c2cecac438e687ec26e09dc5ea4c9b04

SHA1
f849205a38916dac3e8a86f9f34edd46fd2a67e2

SHA256
089a8e72cd25e2d3686f9944bbae761d1a97742d29e3a27005abf4dafbe917cb

SHA512
956064fb0c3ceb6f4d51a7934b11a9035d0d35a4f669c36b2c15b3615bdd8b36bd40b2bf7e6249916ee85c57e9d022ac5c04919c3187420de78475d015397283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
3e7d266d76379dff10cb7adde1d61881

SHA1
8d3bd9336f7f5ee0c5f054d1817e74b24e85e3ba

SHA256
0b374c3a9923ed5ac9d24fb8465bb8a2609d30e9641d815367e142b795aa209a

SHA512
19d823f95e7ba88eb0b0743ecc0debb7d9dd887077a069b8923c3fa72f6eda87f0a9b058d9970cfa7fc215f7feb4cde57d24258cfa524f239ecd237623b5bb55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
a10b247e7f250f901b5234d091ed2a6c

SHA1
9f5b344373067e8681285e80d71c1583eab417f8

SHA256
b0fc99e96af51b161cc3352bfe21674a57ab7cdc37edf8326b944d46102192e6

SHA512
bb591b2dd29e1e55d1453f3ac3449de9deefd3c5fb7e0087e3852010d573510cdecc7409a4105f0037ab7aedd3df751c96558f2263f959b7f9b614bc21b28e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
9e9536b75baee0334f67a6d829f68afc

SHA1
92ef82408852c234993aa77955eeaa0d32f479a5

SHA256
020d0b747a0363f3f8f0c37548b313ece0b114994caf3ef885dbe18c98ff0060

SHA512
64bf890abb08e7f20fb2545386087c1c373eb0217bc2aa38e6965fa257638b2701cf08bc09d3ff96e1e303d99f2e6623711a9b6b2e70ce284cf982a0afc41b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a911.TMP
Filesize
706B

MD5
93286f6291c7aff3ffaa57f39abaf545

SHA1
3e0bf898b08281dcb85cda52113410e71b628ee1

SHA256
a4292660b637c9bc3dd65e746b4963ff218d123c304d96954e91674224c99164

SHA512
11d69f409a14195625e518d36cdea5c285e8a985991bcf79d7f5adbb61506eda8483b20f4bc2f91af80bea5db3b4b13f1720e966d2ff25829de502c4deccea90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
6c7ec3a3c9ba7382c0e16581e8e97ee8

SHA1
56b82d8bf075ee0bb7ebaac5e610b1803d67b73d

SHA256
83ca7af217b692aa1d2b159217c87cf9397c86ae1d3ed4ab9181c32233ffbd1f

SHA512
b415fa3b11ffe03b29f0cbc39f215cd4840bbf404e090ebc7b36106c8d092a184988939f49fc6be144942798a86026860719d7f32b72970c0c980867b1eb1c78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c2a2ed9ab68dfbbb2400bab16205e505

SHA1
d22868218b41ba6ec2ad2ed80d23a9f8a648051d

SHA256
7c5188c9b66ef88a425bcbec87d765043dfc107c6bf5220e19aad71b4fb51a7c

SHA512
8bd50629e5f9918bf486a8c0dd8ff73d658a1e1f4327b04beb71779882d9378ed20c45ee2dab851c552726f54e5dafc45cd2244a0bba3ba05b5d3d0f6ed166db

Download Submit
C:\Users\Admin\AppData\Roaming\GearUPBooster\gu.log
Filesize
103B

MD5
548e4159e176cc28b40d771e79b295d5

SHA1
bf02777839823c0564c7afcd2b3690c90684c2ed

SHA256
faad95d4ab18e50a56b5b303878c51a9061e806043218ad29d44c3fd75c41ff4

SHA512
c030cf579edae89aa60069eb1a13261cc7f6301b0816188eb5540ff4abcd0d2e3463ab2349318a6bce2a0874b5fb06ea9d5b45bbc38849194a7ade10fff142bb

Download Submit
C:\Users\Admin\AppData\Roaming\GearUPBooster\webdata\Cache\f_000001
Filesize
59KB

MD5
069a149dafa2cbe038875e6305e0a3b3

SHA1
8ceef3c038262849d903a18c424a858760a001f0

SHA256
1f1ef835eceefdd4910051db6e922af45f44f6d4275142f13897ab20d8e5882b

SHA512
2a732504b0aa573f03fb81a206a785744875bf040043510aaa28a779521586bc358254a4431b5210236a5460e53eb3a19d9ebcd999586b10650883bdb10bb0c6

Download Submit
\??\pipe\LOCAL\crashpad_540_YOJSHOLQFKWKUFAF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1620-1199-0x000000002D000000-0x000000002D001000-memory.dmp

Filesize
4KB

Download
memory/2140-1198-0x0000000008900000-0x0000000008901000-memory.dmp

Filesize
4KB

Download
memory/3460-998-0x0000000028300000-0x0000000028301000-memory.dmp

Filesize
4KB

Download
memory/3804-1066-0x0000000026600000-0x0000000026601000-memory.dmp

Filesize
4KB

Download
memory/5052-1067-0x000000001A900000-0x000000001A901000-memory.dmp

Filesize
4KB

Download
memory/5260-1065-0x000000003B600000-0x000000003B601000-memory.dmp

Filesize
4KB

Download
memory/5752-1197-0x0000000006B00000-0x0000000006B01000-memory.dmp

Filesize
4KB

Download