Malware Analysis Report

2025-01-18 04:42

Sample ID 230904-ymvczsbc47
Target AntidetectPatreonPremiumEdition2022_JC.exe
SHA256 316e21b3e68b522fc33f29723770f031ca472f39c6b192f3e4534b5198652372
Tags
revengerat nyan-cat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

316e21b3e68b522fc33f29723770f031ca472f39c6b192f3e4534b5198652372

Threat Level: Known bad

The file AntidetectPatreonPremiumEdition2022_JC.exe was found to be: Known bad.

Malicious Activity Summary

revengerat nyan-cat persistence stealer trojan

RevengeRAT

RevengeRat Executable

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-04 19:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-04 19:54

Reported

2023-09-04 19:57

Platform

win7-20230831-en

Max time kernel

129s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2860 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2860 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2860 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2860 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2860 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2268 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2268 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2268 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2640 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2640 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2640 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2752 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2752 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2752 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2860 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
PID 2860 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
PID 2860 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
PID 2860 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

Processes

C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe

"C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

"C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 capeturk.com udp
US 8.8.8.8:53 capeturk.com udp
SG 45.76.189.18:80 capeturk.com tcp
SG 45.76.189.18:80 capeturk.com tcp
SG 45.76.189.18:80 capeturk.com tcp
US 8.8.8.8:53 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com udp
NL 142.251.36.33:443 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com tcp
NL 142.251.36.33:443 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com tcp
US 8.8.8.8:53 blog.capeturk.com udp
VN 103.190.107.26:1111 blog.capeturk.com tcp
VN 103.190.107.26:1111 blog.capeturk.com tcp
VN 103.190.107.26:1111 blog.capeturk.com tcp
VN 103.190.107.26:1111 blog.capeturk.com tcp
VN 103.190.107.26:1111 blog.capeturk.com tcp

Files

memory/2860-0-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2860-1-0x0000000000BA0000-0x0000000000C20000-memory.dmp

memory/2860-2-0x0000000000DE0000-0x0000000006228000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

memory/2268-10-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2268-11-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

memory/2268-13-0x00000000002C0000-0x000000000032E000-memory.dmp

memory/2640-14-0x0000000002210000-0x0000000002290000-memory.dmp

memory/2640-15-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2268-16-0x00000000020E0000-0x0000000002108000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

MD5 938670594dc5d2fcb3e7782425780da3
SHA1 afedf59a98374c265190f1d49707dbadf608cdaf
SHA256 04275bd861b03845f7292d59cc3e676c4fccb9df355d106c085cf6bff763a456
SHA512 75e2c40d33116242ba600c8ad875f6a6910ad09ba9c8977e4b97e28600b69709d02f1e0153f73cc50ad73607c819dbb29287910119af1152e0e20ccd9668d85e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

MD5 938670594dc5d2fcb3e7782425780da3
SHA1 afedf59a98374c265190f1d49707dbadf608cdaf
SHA256 04275bd861b03845f7292d59cc3e676c4fccb9df355d106c085cf6bff763a456
SHA512 75e2c40d33116242ba600c8ad875f6a6910ad09ba9c8977e4b97e28600b69709d02f1e0153f73cc50ad73607c819dbb29287910119af1152e0e20ccd9668d85e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 1303779b354738a8c93cc522ffb21f11
SHA1 ce29a26e1363ddfdc830e2934fed935f15032187
SHA256 0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5
SHA512 b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

memory/2752-27-0x0000000000300000-0x000000000034E000-memory.dmp

memory/2752-28-0x00000000001F0000-0x00000000001F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 1303779b354738a8c93cc522ffb21f11
SHA1 ce29a26e1363ddfdc830e2934fed935f15032187
SHA256 0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5
SHA512 b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 1303779b354738a8c93cc522ffb21f11
SHA1 ce29a26e1363ddfdc830e2934fed935f15032187
SHA256 0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5
SHA512 b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

memory/2752-30-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2752-31-0x0000000002000000-0x0000000002080000-memory.dmp

memory/2752-32-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2640-33-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2268-34-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2820-35-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2820-36-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2820-37-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 8e3d99e6a1064f89744ccb24dc6802bb
SHA1 1b6c31ab4236538c8423c19575c1e19a031b3876
SHA256 d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8
SHA512 f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

memory/2704-49-0x0000000001FB0000-0x0000000002030000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 8e3d99e6a1064f89744ccb24dc6802bb
SHA1 1b6c31ab4236538c8423c19575c1e19a031b3876
SHA256 d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8
SHA512 f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

memory/2704-50-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2860-46-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 8e3d99e6a1064f89744ccb24dc6802bb
SHA1 1b6c31ab4236538c8423c19575c1e19a031b3876
SHA256 d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8
SHA512 f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

memory/2704-51-0x0000000000290000-0x00000000002A8000-memory.dmp

memory/2704-52-0x0000000000280000-0x0000000000288000-memory.dmp

memory/2752-54-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2704-53-0x00000000004F0000-0x00000000004FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

MD5 fc409978e611a143502044848f8d470f
SHA1 dae419b77c277fe1fba610c2da94586dcef16701
SHA256 bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70
SHA512 e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

MD5 fc409978e611a143502044848f8d470f
SHA1 dae419b77c277fe1fba610c2da94586dcef16701
SHA256 bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70
SHA512 e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

memory/2860-64-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2704-67-0x0000000001FB0000-0x0000000002030000-memory.dmp

memory/2704-68-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2704-71-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VirtualBox\VirtualBox-6.1.28-r147628.msi

MD5 577825097157487c7afd2c591ee413bb
SHA1 6b4c3f8b88edb5925b05338fd1e9b1f3e5c665db
SHA256 3ccd35abf2dcfff22ad6d3ffda5cf79f3fdc4fac4244caf6ac4bde72f05b402d
SHA512 5d2f72b490e06bc0f69cdf0528fe43332b7420f92f21f573c9fe890b00b6ae002ef21566e1ba1be27ee61aa2e85535102c8b12661e4f101143e62a7c4a5748e8

memory/2752-81-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDF59.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarEBDA.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-04 19:54

Reported

2023-09-04 19:57

Platform

win10v2004-20230831-en

Max time kernel

135s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4624 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4624 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4624 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4624 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4632 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 4632 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 888 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 888 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 4624 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
PID 4624 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
PID 4624 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
PID 992 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 992 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe

"C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

"C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 254.31.238.8.in-addr.arpa udp
US 8.8.8.8:53 capeturk.com udp
SG 45.76.189.18:80 capeturk.com tcp
SG 45.76.189.18:80 capeturk.com tcp
SG 45.76.189.18:80 capeturk.com tcp
US 8.8.8.8:53 18.189.76.45.in-addr.arpa udp
US 8.8.8.8:53 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com udp
NL 142.251.36.33:443 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com tcp
US 8.8.8.8:53 33.36.251.142.in-addr.arpa udp
NL 142.251.36.33:443 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com tcp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 blog.capeturk.com udp
VN 103.190.107.26:1111 blog.capeturk.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
VN 103.190.107.26:1111 blog.capeturk.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
VN 103.190.107.26:1111 blog.capeturk.com tcp
VN 103.190.107.26:1111 blog.capeturk.com tcp
VN 103.190.107.26:1111 blog.capeturk.com tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/4624-0-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/4624-1-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/4624-2-0x0000000005FE0000-0x0000000005FF0000-memory.dmp

memory/4624-3-0x00000000002C0000-0x0000000005708000-memory.dmp

memory/4624-4-0x00000000206A0000-0x0000000020746000-memory.dmp

memory/4624-5-0x0000000020C20000-0x00000000210EE000-memory.dmp

memory/4624-6-0x0000000021190000-0x000000002122C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

memory/4632-18-0x0000000000F20000-0x0000000000F8E000-memory.dmp

memory/4632-19-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/4632-20-0x0000000001910000-0x0000000001920000-memory.dmp

memory/4632-21-0x000000001BEC0000-0x000000001BEE8000-memory.dmp

memory/4632-22-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

memory/888-27-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/888-28-0x00000000018E0000-0x00000000018F0000-memory.dmp

memory/888-29-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 1303779b354738a8c93cc522ffb21f11
SHA1 ce29a26e1363ddfdc830e2934fed935f15032187
SHA256 0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5
SHA512 b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

memory/4624-35-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

MD5 fc409978e611a143502044848f8d470f
SHA1 dae419b77c277fe1fba610c2da94586dcef16701
SHA256 bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70
SHA512 e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 1303779b354738a8c93cc522ffb21f11
SHA1 ce29a26e1363ddfdc830e2934fed935f15032187
SHA256 0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5
SHA512 b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

memory/2632-49-0x0000000003180000-0x0000000003188000-memory.dmp

memory/4624-50-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/888-51-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/4632-52-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/992-47-0x0000000000140000-0x000000000018E000-memory.dmp

memory/992-53-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

MD5 70f08e6585ed9994d97a4c71472fccd8
SHA1 3f44494d4747c87fb8b94bb153c3a3d717f9fd63
SHA256 87fbf339c47e259826080aa2dcbdf371ea47a50eec88222c6e64a92906cb37fa
SHA512 d381aec2ea869f3b2d06497e934c7fe993df6deac719370bd74310a29e8e48b6497559922d2cb44ace97c4bd7ad00eae8fe92a31081f2119de3ddbb5988af388

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 1303779b354738a8c93cc522ffb21f11
SHA1 ce29a26e1363ddfdc830e2934fed935f15032187
SHA256 0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5
SHA512 b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

memory/992-54-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/2632-55-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/2632-56-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

MD5 fc409978e611a143502044848f8d470f
SHA1 dae419b77c277fe1fba610c2da94586dcef16701
SHA256 bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70
SHA512 e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

MD5 fc409978e611a143502044848f8d470f
SHA1 dae419b77c277fe1fba610c2da94586dcef16701
SHA256 bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70
SHA512 e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

memory/4624-64-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/2632-67-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VirtualBox\VirtualBox-6.1.28-r147628.msi

MD5 577825097157487c7afd2c591ee413bb
SHA1 6b4c3f8b88edb5925b05338fd1e9b1f3e5c665db
SHA256 3ccd35abf2dcfff22ad6d3ffda5cf79f3fdc4fac4244caf6ac4bde72f05b402d
SHA512 5d2f72b490e06bc0f69cdf0528fe43332b7420f92f21f573c9fe890b00b6ae002ef21566e1ba1be27ee61aa2e85535102c8b12661e4f101143e62a7c4a5748e8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 8e3d99e6a1064f89744ccb24dc6802bb
SHA1 1b6c31ab4236538c8423c19575c1e19a031b3876
SHA256 d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8
SHA512 f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 8e3d99e6a1064f89744ccb24dc6802bb
SHA1 1b6c31ab4236538c8423c19575c1e19a031b3876
SHA256 d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8
SHA512 f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 8e3d99e6a1064f89744ccb24dc6802bb
SHA1 1b6c31ab4236538c8423c19575c1e19a031b3876
SHA256 d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8
SHA512 f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

memory/2124-91-0x00000000003C0000-0x00000000003D8000-memory.dmp

memory/2124-93-0x0000000000E80000-0x0000000000E88000-memory.dmp

memory/2124-92-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

memory/2124-94-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/2124-90-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/2124-104-0x000000001B110000-0x000000001B11C000-memory.dmp

memory/2124-106-0x000000001CEB0000-0x000000001CF12000-memory.dmp

memory/992-115-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/2124-116-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp

memory/2124-117-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

MD5 2f142977932b7837fa1cc70278e53361
SHA1 0a3212d221079671bfdeee176ad841e6f15904fc
SHA256 961ca2c0e803a7201adb3b656ed3abafc259d6d376e8ade66f0afff10a564820
SHA512 a25e45e41933902bcc0ea38b4daa64e96cbcd8900b446e1326cffb8c91eb1886b1e90686190bdba30d7014490001a732f91f2869bb9987c0213a8d798c7b3421

memory/992-121-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp