Fender Studio Pro 8 crack from RuTracker gave me a cryptominer + RAT
Downloaded Fender Studio Pro 8 crack from RuTracker (TEAM R2R release). Ran it. Nothing happened. Thought I was fine.
Next day, I noticed an unknown app in my startup menu that I had never seen before. That is when I started digging.
Here is exactly what I found and how you can check your own PC.
What the crack did
The crack executed several R2R tools on Day 1:
| File | Time |
|---|---|
R2R System v1.3.1.exe |
5:07 PM |
Setup Sphere Manager v3.0.0.exe |
5:14 PM |
SphereManager.exe |
5:52 PM |
WitchConfig.exe |
5:55 PM |
Nothing seemed wrong at the time. But these tools were silently installing malware.
What the malware installed
| Component | Details |
|---|---|
| File | RuntimeHost.exe (original name SimpleRunPE.exe) hidden in C:ProgramDataMicrosoftWindowsCachesD3F4E2A1 |
| Attributes | Hidden + System (+h +s) - invisible in File Explorer by default |
| Persistence | 3 scheduled tasks named "Windows System Health", "Windows System Health Check", "Windows System Health Monitor" |
| Registry | abWinSysCache key in HKCU...Run to run on every boot |
| Process hollowing | Malware injected itself into legitimate InstallUtil.exe (PID 9048) to hide |
| Payload | GMiner cryptominer configured to mine BeamHash to attacker's wallet via beam.2miners.com:5252 |
Attacker wallet: 39f1c115f278f33c79f2097fd300c92f627d9e5999f8d580c3736c499b29b8c3da7
The 24-hour delay trick
The crack installed everything on Day 1 but set the scheduled tasks to trigger on Day 2. This is deliberate. If the malware ran immediately, you would suspect the crack. By waiting a day, most people never make the connection.
How I traced it (brief technical steps)
- UserAssistView - Showed every executable the crack ran with exact timestamps
- File Explorer - Enabled "Show hidden files" and unchecked "Hide protected operating system files" to reveal the hidden malware folder
- VirusTotal - Uploaded
RuntimeHost.exe, got 47/72 detections - Hollows Hunter - Detected process hollowing with
"replaced": 1flag on PID 9048 - Task Scheduler - Found 3 malicious tasks with Author = my username (not Microsoft)
- Registry Editor - Found
abWinSysCacheRun key pointing to the malware - schtasks command - Exported all tasks to CSV for analysis
How to check your own PC
- Run UserAssistView to see recent executables
- Check
C:\ProgramData\Microsoft\Windows\Caches\for random folders with hidden.exefiles - Open Task Scheduler and look for tasks named "Windows System Health" with YOUR username as author
- Open Regedit and check
HKCU\Software\Microsoft\Windows\CurrentVersion\RunforabWinSysCache - Run Hollows Hunter as admin and look for
"replaced": 1in the output
Confirmation from security vendors
VirusTotal SHA-256: 02743f00223117c2c04fbfb8267ac7272be632a552b8182e943032d1c78a8bf5
| Vendor | Detection |
|---|---|
| Microsoft | Trojan:Win32/Kepavll!rfn |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| Malwarebytes | Trojan.CoinMiner |
| ESET | MSIL/CoinMiner.BYG |
| BitDefender | Gen:Variant.Zusy.605690 |
47 out of 72 security vendors flagged it as malicious. File is unsigned with fake Microsoft copyright.
What I did to clean it
taskkill /pid 9048 /f
schtasks /delete /tn "\Windows System Health" /f
schtasks /delete /tn "\Windows System Health Check" /f
schtasks /delete /tn "\Windows System Health Monitor" /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v abWinSysCache /f
rmdir /s /q "C:\ProgramData\Microsoft\Windows\Caches\D3F4E2A1"
Why I am posting this
I want to warn others about downloading cracks from RuTracker. This specific Fender Studio Pro 8 release (TEAM R2R) is malicious.
I am open to providing all evidence for anyone who wants to read it - full forensic trace with timestamps, screenshots, and analysis.
Stay safe
