Comprehensive behavioral analysis of a trojanized pirated MAGIX VEGAS Pro 23 installer with ransomware capabilities, privilege escalation, and multi-layered persistence.
rsload.net/soft/editor/10312-sony-vegas-pro.html — unsafe piracy website.Multi-component trojan with ransomware, keylogger, and infostealer capabilities. Professional threat actor, CIS-origin indicators.
VEGAS.rar is not just pirated software. It is a professionally crafted trojan disguised as a cracked video editor.
Yes, it installs a fully working VEGAS Pro 23 — everything will look normal. But alongside the installation, a ~4 MB "patch" deploys a full-scale platform for seizing control of your machine. Antivirus won't flag it — the malicious payload is packed inside a legitimate Inno Setup installer and only activates at runtime. The 680 MB archive size and multi-language filename are designed to avoid suspicion.
1. Installs a backdoor (three of them). Three independent persistence mechanisms: IFEO injection (hijacks any .exe launch), COM hijacking (replaces system multimedia objects), and 8 autorun registry keys (with duplicates for resilience). Remove one — two others keep running. They survive reboots and operate at the OS kernel level. Even if you delete the patch itself, the backdoors are already in place.
2. Gets ALL system privileges. Requests all 27+ Windows privileges. Practically: can read passwords from any process memory (including LSASS — Windows credential store), load kernel drivers (i.e. install a rootkit), impersonate any user, read/write any file bypassing all permissions, disable security, remotely shut down the system. It essentially becomes the operating system.
3. Injects code into 40+ processes. Plants malicious code inside trusted Microsoft-signed system processes (msiexec.exe, regsvr32.exe). Your AV sees a signed Microsoft process — while malware runs inside. Notably: it injects into ErrorReportLauncher.exe (VEGAS's own crash handler), which no whitelisting solution would flag.
4. Replaces Windows signature verification. Drops a modified wintrust.dll into a special .local directory next to vegas230.exe. This DLL is the heart of Windows code signing (Authenticode). With the replaced version, any unsigned or malicious file loads without a single warning. This is the most technically sophisticated element of the attack.
5. Breaks the certificate store. Modifies 13+ system certificate stores: adds fake root CAs (can become a "trust authority"), adds intermediate CAs, removes revoked certificates from the Disallowed list, adds itself to TrustedPeople. Result: can intercept all HTTPS traffic (banking, email, messengers) via MITM attack. Also sets ProxyBypass=1 and IntranetName=1, weakening browser security zones.
6. Prepares file encryption (ransomware). Interacts with Volume Shadow Copy Service — deletes restore points so you can't roll back after encryption. Enumerates all drives A: through Z: — maps encryption targets. Checks your country (Geo\Nation) — textbook behavior of Russian-speaking ransomware groups (REvil, LockBit, BlackCat) that exclude CIS nations. Encryption wasn't triggered during the 252-second analysis — likely delayed by hours/days or awaiting a C2 command.
7. Spies on you. Fingerprints your country (5 processes), language (50+ queries), hardware (BIOS, firmware, disks), installed software, all running processes (30+ calls), connected drives and network shares. Uses SetWindowsHookEx — potentially logs every keystroke (passwords, chats, credit card numbers). Runs msinfo32.exe for full system information collection.
8. Hides from analysis. Hides threads from debuggers (NtSetInformationThreadHideFromDebugger — legitimate VEGAS doesn't do this). Detects virtual machines by querying SCSI devices (looking for VMware/VBox/QEMU strings). Evades AV by injecting into signed Microsoft processes. Opens a suspicious local port 127.255.255.255:8086 for inter-component communication.
This is not "just a virus" or a cryptominer. It's a multi-component platform for total system takeover. The sophistication (DLL sideloading of system-critical wintrust.dll, 3 persistence mechanisms, 13 certificate store modifications, redundant deployment directories) points to a professional threat group, likely Russian-speaking — the malware checks the country and spares CIS nations. This is a pattern of groups like REvil/LockBit.
Completely invisible to antivirus. Static analysis returned zero detections. The payload is hidden inside a legitimate Inno Setup installer and only activates at runtime. Email gateways, web proxies, endpoint AV — none of these will stop the file at download or extraction.
Full OS reinstall is the only option. Three persistence mechanisms + certificate tampering + wintrust.dll make cleanup without reinstallation pointless. Critically: even after removing all malicious files, the tampered certificates remain in the store — MITM attacks remain possible. Full reinstall + changing all passwords is required.
Your data is at risk right now. All ransomware prerequisites are in place: privileges acquired, shadow copies deleted, drives enumerated. Encryption can begin at any moment — in an hour, a day, or on operator command.
All passwords are compromised. SeDebugPrivilege + potential keylogger (SetWindowsHookEx) = any password entered on this computer may have been intercepted. Banking, social media, work accounts — all at risk.
If you ran it: disconnect from network immediately. Reinstall Windows. Change ALL passwords from a different device. Enable 2FA everywhere. Check bank statements.
If you didn't run it: delete the file. Block rsload.net at your firewall/proxy. Don't download pirated software — in this case, a "free" video editor would have cost you all your passwords and files.
This sample was downloaded from rsload.net. Based on our analysis, YonSeSecurity strongly advises against downloading any software from this website.
If a file marketed as a "verified crack" contains a professional-grade trojan with ransomware capabilities, there is no reason to believe other downloads on this site are safe. Every file downloaded from this source potentially carries a similar or different malicious payload.
Recommendation: the domain rsload.net should be blocked at the corporate DNS/proxy/firewall level. Users who have previously downloaded software from this site should perform a full antivirus scan of their systems.
YonSeSecurity Threat Score: 9.2 / 10 — CRITICAL. If this file was executed, consider the system fully compromised.
A 680.7 MB RAR archive masquerading as pirated MAGIX VEGAS Pro 23 was submitted for dynamic behavioral analysis. It contains a legitimate VEGAS Pro installer bundled with a malicious Inno Setup "patch" deploying a sophisticated multi-component trojan.
The malware installs real software as cover, then establishes 3 independent persistence mechanisms (IFEO + COM hijack + RunOnce), escalates to all Windows privileges, injects code into 40+ processes, tampers with the certificate store, sideloads a modified wintrust.dll, and interacts with Volume Shadow Copy (ransomware indicator).
Static analysis: zero detections — the payload is packed inside Inno Setup and detonates only at runtime. Most gateway scanners would not flag this file.
A modified wintrust.dll placed in vegas230.exe.local\ completely disables Windows Authenticode signature verification. No legitimate software does this. This is the definitive proof of malicious intent.
Classification: Trojan.Dropper / Trojan.Injector + Ransomware + Keylogger + InfoStealer
| Field | Value |
|---|---|
| Filename | VEGAS.rar |
| Size | 680.7 MB (~713,556,377 bytes) |
| SHA256 | 73eab17ee0ed19f8f132c6cd6e785b64007afd938f7512c2ed60a998e038734f |
| Analysis ID | YSS-260323-vyzv3ah131 |
| Platform | Windows 10 v2004 (build 20260130-en) |
| Runtime | 252s kernel / 276s network |
| Installer (legit) | VEGAS_Pro_23.0.0.302_x64_DLV_DE-EN-FR-ES_250927_01-38_0D3BEAA0.exe |
| Patch (malicious) | MAGIX VEGAS Pro v23.0.xxx patch.exe |
| Patch packer | Inno Setup (~4 MB, /SL5=4159888) |
| Analysis tags | ransomware persistence privilege_escalation discovery |
User downloads VEGAS.rar from a piracy website. The 680 MB size and multi-language filename (DE-EN-FR-ES) suggest a legitimate offline installer.
Real VEGAS Pro 23 installs alongside 4 VC++ Redistributable packages (2013 x86/x64 + 2022 x86/x64). 200+ files to Program Files, 60+ system DLLs to System32/SysWOW64. 12 audio plugins registered via regsvr32. User sees working software.
Inno Setup patch (~4 MB) deploys into two redundant directories: is-I7JGU.tmp and is-15UOK.tmp. Drops nircmd.exe, writes fake serials via nircmd inisetval, places trojanized wintrust.dll in .local directory.
A) IFEO injection: DevOverrideEnable=1 — hijacks any .exe launch.
B) COM hijacking: replaces DirectShow CLSIDs — fires on any multimedia init.
C) 8 RunOnce keys (4 unique + 4 duplicates for fault tolerance).
Requests ALL Windows privileges (27+ tokens: SeDebug, SeTcb, SeLoadDriver...). Anti-debug (NtSetInformationThreadHideFromDebugger). Anti-VM (SCSI/BIOS fingerprint). DLL sideloading (wintrust.dll). Tampers with 13+ certificate stores. Injects into 40+ processes (WriteProcessMemory).
Profiles victim: geo (5 processes), language (50+ queries), drives A:-Z:, BIOS/firmware, processes (30+ enum), installed software. Interacts with Volume Shadow Copy (vssvc.exe + srtasks.exe). Opens local listener on 127.255.255.255:8086. SetWindowsHookEx (potential keylogger).
30+ unique processes, 100+ instances observed. Color legend: malicious, suspicious, legitimate, system.
Image File Execution Options — enables system-wide executable hijacking. Any .exe can be redirected to malware by registering a "debugger".
Hijacks DirectShow filter CLSIDs — fires on any multimedia application initialization.
8 RunOnce entries (4 unique + 4 duplicates for fault tolerance):
| Package Cache GUID | Executable | Flag |
|---|---|---|
| {9dff3540-fc85-4ed5-ac84-9e3c7fd8bece} | vcredist_x86.exe | /burn.runonce |
| {042d26ef-3dbe-4c25-95d3-4c1b11b235a7} | vcredist_x64.exe | /burn.runonce |
| {47109d57-d746-4f8b-9618-ed6a17cc922b} | VC_redist.x86.exe | /burn.runonce |
| {5af95fd8-a22e-458f-acee-c61bd787178e} | VC_redist.x64.exe | /burn.runonce |
VEGAS_Pro_23_setup.exe requests all 27+ Windows privileges. No legitimate installer does this.
| Token | Capability | Sev |
|---|---|---|
| SeDebugPrivilege | Read/write ANY process memory (LSASS credential theft) | Crit |
| SeTcbPrivilege | Act as part of the operating system | Crit |
| SeLoadDriverPrivilege | Load kernel-mode drivers (rootkit installation) | Crit |
| SeTakeOwnershipPrivilege | Take ownership of any object | Crit |
| SeImpersonatePrivilege | Impersonate any user token | Crit |
| SeCreateTokenPrivilege | Create arbitrary security tokens | Crit |
| SeBackup/RestorePrivilege | Bypass all ACLs for file read/write | High |
| SeAssignPrimaryTokenPrivilege | Assign tokens to processes | High |
| + 19 more privileges | SeLockMemory, SeIncreaseQuota, SeMachineAccount, SeChangeNotify, SeUndock, SeSyncAgent, SeEnableDelegation, SeManageVolume, SeCreatePagefile, SeIncBasePriority, SeProfSingleProcess, SeSystemtime, SeAudit, SeShutdown, SeRemoteShutdown, SeCreatePermanent, SeSystemProfile, SeSystemEnvironment, SeSecurityPrivilege |
wintrust.dll is the Windows system DLL responsible for Authenticode signature verification, trust chain validation, and catalog file checking. The .local redirection mechanism forces Windows to load the modified version INSTEAD of the system one.
Result: everything loaded by vegas230.exe bypasses signature verification. Unsigned DLLs, modified plugins, and malicious extensions load without warning.
Process: vegas230.exe. Legitimate VEGAS Pro does NOT use anti-debugging. This confirms the binary was patched/trojanized.
vegas230.exe modifies 13+ certificate stores under HKEY_USERS:
| Store | Action | Attack Purpose |
|---|---|---|
| SystemCertificates\trust | Created | Add trusted certs |
| SystemCertificates\Root\Certificates | Created | Install root CA (MITM) |
| SystemCertificates\CA\Certificates | Created | Intermediate CA |
| SystemCertificates\TrustedPeople\CTLs | Created | Trusted publishers |
| SystemCertificates\Disallowed\* | Created | Remove revocations! |
| Policies\SystemCertificates\* | Created | Override policy! |
| ZoneMap\ProxyBypass | Set = "1" | Bypass proxy |
| ZoneMap\IntranetName | Set = "1" | Treat external as intranet |
MuiCache trust provider masking: ci.dll = "Isolated User Mode", powershell.exe = "Document Encryption", dnsapi.dll = "DNS Server Trust"
40+ WriteProcessMemory calls across process boundaries. The malware uses the VC++ Redistributable installation chain as cover for injecting into trusted Microsoft-signed processes.
| Source (PID) | Target (PID) | Context |
|---|---|---|
| vcredist2013 x86 (3036) | VEGAS_Pro_23_setup.exe | Cross-chain injection |
| vcredist (920) | vcredist (2068) | Inter-copy injection |
| VC_redist (4880) | vcredist_x64 (4864) | Package Cache → x64 |
| msiexec.exe (various) | regsvr32.exe (various) | System process injection! |
| syswow64\MsiExec | SysWOW64\regsvr32 | WOW64 chain |
| vegas230.exe (980) | ErrorReportLauncher | Into own crash reporter! |
9 SetWindowsHookEx calls from VEGAS installer processes. Used for intercepting keyboard input and window messages — classic keylogging vector.
The /WaitForRestorePoint:2 flag means the malware waits for the operation to complete before proceeding — consistent with ransomware ensuring shadow copy destruction before encryption.
| Indicator | Status | Significance |
|---|---|---|
| Volume Shadow Copy | Confirmed | Restore point manipulation |
| Drive enumeration A:-Z: | Confirmed | Map encryption targets |
| Geo\Nation check | Confirmed | CIS-country exclusion |
| Full privileges | Confirmed | Access to system files |
| Actual file encryption | Not observed | 252s window insufficient |
NirCmd deployed to two independent directories for fault tolerance. Each runs 7 identical inisetval commands:
The encoded UserEMail is likely a group identifier. The same email in both products and P3-format serials indicate a unified cracking toolkit.
| Technique | Detail | Count | Significance |
|---|---|---|---|
| Geo\Nation (T1614) | Control Panel\International\Geo\Nation | 5 procs | CIS-country exclusion |
| Language (T1614.001) | SYSTEM\ControlSet001\Control\NLS\Language | 50+ | Locale profiling |
| Drives (T1120) | File opened \??\A: through \??\Z: | 26 | Map shares, USB, encrypted |
| BIOS (T1082) | HARDWARE\DESCRIPTION\System\BIOS\* | 4 | VM detect + victim ID |
| SCSI | Enum\SCSI\Disk&Ven_WDC + CdRom | 10+ | Anti-VM fingerprint |
| Processes (T1057) | EnumeratesProcesses | 30+ | Detect AV/EDR |
| Software (T1518) | Installed software | — | High-value targets |
Geo + Language + AntiVM = standard pattern of Russian-speaking ransomware groups (REvil, LockBit, BlackCat/ALPHV).
| Country | Destination | Domain | Proto | Analysis |
|---|---|---|---|---|
| US | 8.8.8.8:53 | c.pki.goog | UDP | Google DNS (bypass local) |
| GB | 142.250.117.94:80 | c.pki.goog | TCP | Google CRL download |
| N/A | 127.255.255.255:8086 | — | TCP | Anomalous local port |
| US | 8.8.8.8:53 | o.pki.goog | UDP | Google OCSP |
| GB | 142.250.117.94:80 | o.pki.goog | TCP | Google OCSP check |
Broadcast address of 127.0.0.0/8 network. No Windows component or VEGAS Pro generates this. Likely: IPC between malware components, local C2 relay (port 8086), or data staging before exfiltration.
| Path | Type |
|---|---|
| ...\vegas230.exe.local\wintrust.dll | DLL sideload |
| ...\is-I7JGU.tmp\nircmd.exe | Hack tool |
| ...\is-15UOK.tmp\nircmd.exe | Hack tool (backup) |
| ...\is-IPTF0.tmp\MAGIX...patch.tmp | Trojan dropper |
| ...\is-L2S1E.tmp\MAGIX...patch.tmp | Trojan dropper (backup) |
| ...\VEGAS_Pro_23\installation.ini | Cracked config |
| ...\DVD_Architect_Pro_7\installation.ini | Cracked config |
COMPOSITE THREAT SCORE: 9.2 / 10 — CONFIRMED MALICIOUS
The sample is definitively malicious. Anti-debug in installed binary + IFEO injection + COM hijack + cert store tampering + wintrust.dll sideloading + full privilege escalation + 40 process injections + VSS interaction — no legitimate explanation possible.
Sophistication level: 3 persistence mechanisms, critical system DLL sideloading, certificate store manipulation, redundant deployment directories, geo/language targeting. This is not a script kiddie.
Geo\Nation + Language checks by 50+ processes combined with ransomware behavior = standard pattern of Russian-speaking groups (REvil, LockBit, BlackCat/ALPHV).
No legitimate installer places a modified wintrust.dll in a .local directory. Even after malware removal, tampered certificates persist — the system is permanently compromised without reinstallation.
Ransomware did not detonate in 252s. Likely delayed activation: timer, C2 command, user inactivity condition, or time-of-day trigger. All prerequisites for encryption are in place.
IFEO\DevOverrideEnable registry creation*.exe.local\wintrust.dll file creation127.255.255.255nircmd.exe execution outside admin toolingSystemCertificates\trust modification by non-system processWriteProcessMemory between unrelated process trees73eab17ee0ed19f8f...e038734f