5a64ae79d64d12662f2910ace22873a61d28280191657698cf6bb05f46713c6f

Resubmissions

29/08/2024, 09:25

240829-ldk2qstgph 8

29/08/2024, 09:14

240829-k7qzeawcrm 8

Analysis

max time kernel
331s
max time network
318s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAGIX Vegas Pro 19.0 Build 458 RePack by KpoJIuK (64Bit)/MAGIX.Vegas.Pro.v19.0.458.exe
Size

273.1MB
MD5

1bedeef92eebf22ff8877d4863896b5e
SHA1

53ee359f5e5413ba9eeba280af54815998ef1726
SHA256

b140c2036b2e57e71b72cdcf4cdd6df64d4b41180150b6b953db0c71fdf3f756
SHA512

0525c618c345d4cccb56b6f832c1a1bda13e31f52aced903b687ae218c7c72c5b49be2d2e5c1aefcc4c1137525fc103892e9ecae9db67b0a2d60822fe94cf9de
SSDEEP

6291456:gf+Vv7lueNfC3LOBF8JVfRC+oXGHrlJk4mjQsmL9sBGr3z30:LVv7ceJGOIVZaXGBJkisG7z30

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3612	netsh.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 25 IoCs

pid	Process
5516	vegas190.exe
5448	ErrorReportLauncher.exe
3328	vegas190.exe
3844	ErrorReportLauncher.exe
5988	FileIOSurrogate.exe
5620	sfvstserver.exe
5892	vegas190.exe
5908	ErrorReportLauncher.exe
2816	sfvstserver.exe
2264	vegas190.exe
5004	ErrorReportLauncher.exe
1360	sfvstserver.exe
3508	vegas190.exe
5664	sfvstserver.exe
4936	vegas190.exe
216	ErrorReportLauncher.exe
5752	sfvstserver.exe
64	vegas190.exe
636	ErrorReportLauncher.exe
5908	sfvstserver.exe
3664	So4HardwareDetection.exe
4792	vegas190.exe
4276	ErrorReportLauncher.exe
5368	sfvstserver.exe
2640	vidcap60.exe

Loads dropped DLL 64 IoCs

pid	Process
4292	MAGIX.Vegas.Pro.v19.0.458.exe
4292	MAGIX.Vegas.Pro.v19.0.458.exe
4292	MAGIX.Vegas.Pro.v19.0.458.exe
4292	MAGIX.Vegas.Pro.v19.0.458.exe
4292	MAGIX.Vegas.Pro.v19.0.458.exe
4292	MAGIX.Vegas.Pro.v19.0.458.exe
4292	MAGIX.Vegas.Pro.v19.0.458.exe
4292	MAGIX.Vegas.Pro.v19.0.458.exe
4168	MsiExec.exe
2264	MsiExec.exe
4168	MsiExec.exe
2264	MsiExec.exe
6048	MsiExec.exe
6048	MsiExec.exe
6048	MsiExec.exe
6008	MsiExec.exe
6008	MsiExec.exe
6008	MsiExec.exe
732	MsiExec.exe
732	MsiExec.exe
732	MsiExec.exe
5968	MsiExec.exe
5968	MsiExec.exe
5968	MsiExec.exe
5920	MsiExec.exe
5920	MsiExec.exe
5920	MsiExec.exe
5952	MsiExec.exe
5952	MsiExec.exe
5952	MsiExec.exe
5852	MsiExec.exe
5852	MsiExec.exe
5852	MsiExec.exe
5888	MsiExec.exe
5888	MsiExec.exe
5888	MsiExec.exe
5916	MsiExec.exe
5916	MsiExec.exe
5916	MsiExec.exe
5796	MsiExec.exe
5796	MsiExec.exe
5796	MsiExec.exe
5744	MsiExec.exe
5744	MsiExec.exe
5744	MsiExec.exe
5716	MsiExec.exe
5684	MsiExec.exe
5640	MsiExec.exe
5616	MsiExec.exe
5616	MsiExec.exe
5576	MsiExec.exe
5516	vegas190.exe
5516	vegas190.exe
5516	vegas190.exe
5516	vegas190.exe
5516	vegas190.exe
5516	vegas190.exe
5516	vegas190.exe
5516	vegas190.exe
5516	vegas190.exe
2264	MsiExec.exe
5196	mscorsvw.exe
5196	mscorsvw.exe
5196	mscorsvw.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CddbLangES.dll	msiexec.exe
File created	C:\Windows\SysWOW64\CddbLangJA.dll	msiexec.exe
File created	C:\Windows\SysWOW64\CddbLangRU.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcr70.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcr71.dll	msiexec.exe
File created	C:\Windows\SysWOW64\CDDBControl.dll	msiexec.exe
File created	C:\Windows\SysWOW64\CddbLangDE.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp71.dll	msiexec.exe
File created	C:\Windows\SysWOW64\DLLDEV32i.dll	msiexec.exe
File created	C:\Windows\SysWOW64\CDDBUI.dll	msiexec.exe
File created	C:\Windows\SysWOW64\CddbLangFR.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\Phaser\[Sys] Guitar Stereo Swirl.efx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\So4HardwareDetection.exe	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\Sony Video Capture - ShuttlePRO.pref	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Help\EN\29471.png	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\VEGASCapture\locales\es.pak	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OpenColorIO\configs\aces_1.2\luts\Dolby_PQ_108_nits_Shaper.RRTODT.P3D65_ST2084__108_nits_.spi3d	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Help\EN\23819.png	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\mcaacplug\mc_cpu\mc_mux_mp4.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OpenColorIO\configs\aces_1.2\luts\S-Log1_to_linear.spi1d	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\so4compoundplug\so4compoundplug.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\Script Menu\Render Audio Tracks.cs	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\Compressor\[Sys] Compressor_Electric_Guitar.efx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\VEGASCapture\locales\el.pak	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\sfcdix.cfg	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\opencv_video453.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\Language\local_ko_KR.cfg	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OFX Video Plug-Ins\ofxRotation.ofx.bundle\Contents\Resources\VegasOfxRotation.ru-RU.xml	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\Video Plug-Ins\vfx1.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\mcmp4xavcs\mc_open_cl\mc_config_avc_opencl.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OFX Video Plug-Ins\OfxStitch.ofx.bundle\Contents\Resources\VegasOfxStitch.pt-BR.xml	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\Compressor\[Sys] Extreme Guitar Compression.efx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\StereoDelay\[Sys] TripleDelay.efx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\es\ScriptPortal.Vegas.PublishOFA.Resources.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\pt-BR\ScriptPortal.Capture.resources.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OpenColorIO\configs\aces\luts\slogf35_to_aces.spimtx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OFX Video Plug-Ins\ofxRotation.ofx.bundle\Contents\Resources\gui.xml	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\Limiter\[Sys] Rock Clipper +6dB (Soft Transients).efx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\Microsoft.WindowsAPICodePack.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OpenColorIO\configs\aces_1.2\luts\V-Log_to_linear.spi1d	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\Vidcap Plug-Ins\aviplug\aviplug.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OpenColorIO\configs\aces\luts\rrt_ut33_rec709.spi3d	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\x64\eFX_Phaser.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\so4compoundplug\mx5params.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OpenColorIO\configs\aces\luts\adx_cdd_to_cid.spimtx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\VEGAS Pro 19 -- ShuttlePRO.pref	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OFX Video Plug-Ins\Stabilize.ofx.bundle\Contents\Presets\PresetPackage.de-DE.xml	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\ChorusFlanger\[Sys] Strong Guitar Chorus.efx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\StereoDelay\[Sys] Analog Slow SlapBack.efx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\PRSConfig.exe	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OFX Video Plug-Ins\Vfx1.ofx.bundle\Contents\Resources\AutoLooks\BMDFilm4K_to_REC.709.cube	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\Limiter\[Sys] Dance Limiter (Tight Bass).efx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\Reverb\[Sys] Cathedral.efx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\StereoDelay\[Sys] Analog Feedback.efx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OpenColorIO\configs\aces_1.2\luts\InvRRTODT.P3D65_ST2084__108_nits_.Dolby_PQ_108_nits_Shaper.spi3d	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\opencv_imgcodecs453.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OFX Video Plug-Ins\Vfx1.ofx.bundle\Contents\Resources\AutoLooks\23.cube	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\mxfplug\mc_enc_mpa.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\ChorusFlanger\[Sys] Vox Vibrato Stereo.efx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\Compressor\[Sys] Drum Buss Ambience.efx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\fonts\Julietta.otf	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\fonts\Thinking_of_Betty_Light.otf	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OFX Video Plug-Ins\TitlesAndText.ofx.bundle\Contents\Presets\PresetPackage.ja-JP.xml	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OFX Video Plug-Ins\TitlesAndText.ofx.bundle\Contents\Resources\TitlesAndText.zh-CN.xml	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OFX Video Plug-Ins\MagixCVFx.ofx.bundle\Contents\Presets\PresetPackage.fr-FR.xml	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\StereoDelay\[Sys] Analog Dual Delay.efx	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\AutoPlugin.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\ScriptPortal.Vegas.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OFX Video Plug-Ins\Stabilize.ofx.bundle\Contents\Resources\Stabilize.ru-RU.xml	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\Video Plug-Ins\PluginWrapper.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\bdmux\Ess.dll	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Help\EN\eFX_Gate.htm	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\VEGASCapture\snapshot_blob.bin	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\fonts\base05.otf	msiexec.exe
File created	C:\Program Files\VEGAS\Vegas Pro 19\OpenColorIO\configs\aces_1.2\luts\InvRRTODT.Rec.2020_HLG__1000_nits_.Dolby_PQ_1000_nits_Shaper.spi3d	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\8d186933378d2a9363c06622a1e15c10\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14e0-0\Vegmuxfa.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\505e1631e64401e55defbe06ca230ae5\Accessibility.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\c510a4bcfe75f634032f39bda45370e8\System.DirectoryServices.Protocols.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\27c-0\BdmuxInterface.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d54-0\System.Design.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\98bc95f7abb4da915b0059b9ae3dca49\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\9d5e180be6e720fe412329f585d8fd4b\SMDiagnostics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Vegmuxfc\3af30449ec87d23d8cb3215fb1c70f89\Vegmuxfc.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI9512.tmp	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\mux.net\ece9c937330ea3d047cbb139d15314c3\mux.net.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\92c5f168e712e049c7e6d803b6fbbaea\System.Web.Services.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\18c3296e772ac833c925ced5ce705a3e\System.EnterpriseServices.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f4-0\System.ServiceProcess.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\17d8-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\82b1ae8cba204aa301aa01544206ca58\Microsoft.VisualC.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1604-0\System.Drawing.Design.dll	mscorsvw.exe
File opened for modification	C:\Windows\Installer\{FF4B234F-58D7-11EC-9A7B-00155DE88B8F}\vorbis.ico	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\818-0\Vegmuxmc.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#\87913e2b25006e6a0232a300790cf106\System.Drawing.Design.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Installer\{FF4B234F-58D7-11EC-9A7B-00155DE88B8F}\vegas.ico (new loc)	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Design\9fa25f2de7fde1cb22bafc3dfff42f9d\System.Design.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d4-0\System.Web.RegularExpressions.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#\0595604fe5cf2cf3667da1e44631ecec\System.Web.RegularExpressions.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\17e4-0\Accessibility.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595#\4a373bd305148726aa7df71947cc16a8\System.Runtime.Caching.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15d4-0\Microsoft.VisualC.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Vegmuxfa\cd40edc159bb449e26c4748d62243a0f\Vegmuxfa.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\9f8-0\BdmuxServer.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\162a2eca8d47893f9ac874aca32e913a\System.Drawing.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\dd0-0\Vegmuxfc.dll	mscorsvw.exe
File opened for modification	C:\Windows\Installer\{FF4B234F-58D7-11EC-9A7B-00155DE88B8F}\vmspeproject.ico (new loc)	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\269fd33de9848d00fa6871ef3c64d607\System.Runtime.Remoting.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1420-0\System.ServiceModel.Internals.dll	mscorsvw.exe
File created	C:\Windows\Installer\{FF4B234F-58D7-11EC-9A7B-00155DE88B8F}\vorbis.ico	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\9e0-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4c8-0\System.Transactions.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\6ac-0\System.Web.dll	mscorsvw.exe
File opened for modification	C:\Windows\Installer\e599466.msi	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\49c-0\mux.net.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15cc-0\System.EnterpriseServices.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\4739d6e1b35b937c42282fdc1d358f57\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1140-0\System.Web.Services.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Vegmuxrt\0666ddf90cfc0087652e9140b5e4cbed\Vegmuxrt.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\8bc9dd9d744b13f8938585763fa6a16e\System.Transactions.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Installer\e599466.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FF4B234F-58D7-11EC-9A7B-00155DE88B8F}	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1524-0\System.Web.ApplicationServices.dll	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSIB8AB.tmp	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\53ee2f57567b84681fdf401e10770929\System.ServiceModel.Internals.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\5e8-0\Vegmuxrt.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\16b0-0\System.Data.OracleClient.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\16e0-0\Vegmuxdw.dll	mscorsvw.exe
File created	C:\Windows\Installer\e59946b.msi	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1020-0\System.Runtime.Caching.dll	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSIB639.tmp	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\BdmuxInterface\28e8f48a458f4465547d1ffb5efbd2fc\BdmuxInterface.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Vegmuxtw\7f0c0cb6a7cfc28615f32d41830f005f\Vegmuxtw.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\1afdd520db05884c661bf2217348be72\System.Security.ni.dll.aux.tmp	mscorsvw.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	route.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfvstserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfvstserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfvstserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfvstserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfvstserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAGIX.Vegas.Pro.v19.0.458.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vidcap60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfvstserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfvstserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileIOSurrogate.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fac5ebb7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 11 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1001	vegas190.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Microsoft Input Devices	vegas190.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Microsoft Input Devices\Mouse\Exceptions	vegas190.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1001\Filename = "vegas190.exe"	vegas190.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1001\Version = "4294967295"	vegas190.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1002\Filename = "vidcap60.exe"	vidcap60.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Microsoft Input Devices\Mouse	vegas190.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1001\Description = "Sony Application"	vegas190.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1002	vidcap60.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1002\Description = "Sony Application"	vidcap60.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1002\Version = "4294967295"	vidcap60.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{026D0AA2-9BB9-11D0-AEBC-00A0C9053912}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8448720-96FD-11D0-AEBC-00A0C9053912}\Pins\Output\Types	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000004-0F56-11D2-9887-00A0C969725B}\Pins\Input\ConnectsToPin = "Output"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF37BA4-2F4F-11D3-B02F-00C04F4C0826}\ = "CddbCredit Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0528CD1-F67E-11D2-8F8E-00C04F4C3B9F}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8722111A-DE20-48ac-832D-0CEDA23212AB}\VersionIndependentProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControl.CddbID3TagManager.1\ = "CddbID3TagManager Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70046AFD-C0B1-4EB0-9D13-00AA006BA2BA}\InprocServer32\ = "C:\\Program Files (x86)\\VEGAS\\Shared Plug-Ins\\Audio_x64\\mchammer_x64.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControl.CDDBControl2\CLSID\ = "{69E9B473-22E6-471D-8683-84BD1E4BECE1}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF37BA2-2F4F-11D3-B02F-00C04F4C0826}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07D8026C-F806-459D-9797-ED72536F0EF8}\ProgID\ = "CDDBUIControl.CddbUI2.1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{260DF3E1-AC77-11D2-9E93-00C04F68BE44}\InprocServer32\ThreadingModel = "Both"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23C9F227-40EC-11D2-9D36-00C04F8EDC1E}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-0F56-11D2-9887-00A0C969725B}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FEDD91C-AC3B-46D5-9397-6F9F23A217F3}\ = "ICddbInfoWindow"	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D616F3E0-D622-11CE-AAC5-0020AF0B99A3}\FilterData = 0200000000002000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000700000006175647300001000800000aa00389b7100000000000000000000000000000000	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6802BA1-A056-11D0-AEBC-00A0C9053912}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CCD308-F7E1-477e-A14C-CBFBB3DC07E4}\TypeLib\ = "{B0528CD1-F67E-11D2-8F8E-00C04F4C3B9F}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{017DD7C6-623B-4BCC-8F4A-6BBB8DB00A01}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F432B4FF7D85CE11A9B70051D58EB8F8\SourceList\Media\89 = ";VEGAS Pro 19.0 19.0 Install Disc"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControl.CddbExtData\CurVer	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vegas190_w64\shell\Open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{026D0AA0-9BB9-11D0-AEBC-00A0C9053912}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-0F56-11D2-9887-00A0C969725B}\InprocServer32\ = "C:\\Program Files (x86)\\VEGAS\\Shared Plug-Ins\\Audio_x64\\sfxpfx2_x64.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControl.CddbExtData\ = "CddbExtData Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F432B4FF7D85CE11A9B70051D58EB8F8\SourceList\Media\33 = ";VEGAS Pro 19.0 19.0 Install Disc"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F432B4FF7D85CE11A9B70051D58EB8F8\wmfplug4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{026D0AA0-9BB9-11D0-AEBC-00A0C9053912}\Pins\Input\Direction = "0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{869419DD-501F-11D3-8CDC-00C04F6B8E4C}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F432B4FF7D85CE11A9B70051D58EB8F8\Sony4FFPlugsComponentProRes	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5FF5B4A1-858F-11D0-AEBC-00A0C9053912}\ = "SfTime Property Page"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40986922-0F56-11D2-9887-00A0C969725B}\InprocServer32\ThreadingModel = "Both"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-0F56-11D2-9887-00A0C969725B}\Pins\Output\AllowedMany = "0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{0000000C-0F56-11D2-9887-00A0C969725B}\CLSID = "{0000000C-0F56-11D2-9887-00A0C969725B}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF37BA0-2F4F-11D3-B02F-00C04F4C0826}\ = "CddbURL Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000006-0F56-11D2-9887-00A0C969725B}\Pins	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000000-0F56-11D2-9887-00A0C969725B}\Pins\Output\IsRendered = "0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0528CE3-F67E-11D2-8F8E-00C04F4C3B9F}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBF37B9B-2F4F-11D3-B02F-00C04F4C0826}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B14F82-2AE0-4BD1-9705-8AB6A51DC3C6}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F432B4FF7D85CE11A9B70051D58EB8F8\imapi	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F432B4FF7D85CE11A9B70051D58EB8F8\SourceList\Media\25 = ";VEGAS Pro 19.0 19.0 Install Disc"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28D9F1E0-6ECC-11D0-AEBC-00A0C9053912}\Pins\Input\IsRendered = "0"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6802BA0-A056-11D0-AEBC-00A0C9053912}\Merit = "2097152"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF37BA2-2F4F-11D3-B02F-00C04F4C0826}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8444E537-6C73-492C-BDD2-1B272D6463DB}\ = "ICddbCacheManager"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F432B4FF7D85CE11A9B70051D58EB8F8\SourceList\Media\146 = ";VEGAS Pro 19.0 19.0 Install Disc"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControl.CddbID3Tag.1\CLSID	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8CB69A0A-10E8-11D2-9B89-00104B8D13C2}\Pins\Output\AllowedZero = "0"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000004-0F56-11D2-9887-00A0C969725B}\Pins\Output\AllowedZero = "0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5124C20-04C9-4534-BA23-344E5ADB0E84}\ = "ICddbOptions2"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBUIControl.CddbUI\CLSID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F432B4FF7D85CE11A9B70051D58EB8F8\sonydeviceexp	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000007-0F56-11D2-9887-00A0C969725B}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6802BA1-A056-11D0-AEBC-00A0C9053912}\InprocServer32\ThreadingModel = "Both"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8CB69A0A-10E8-11D2-9B89-00104B8D13C2}\Pins\Output\AllowedMany = "0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3F901A20-79BE-11D0-AEBC-00A0C9053912}\InprocServer32\ThreadingModel = "Both"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Filter\{00000006-0F56-11D2-9887-00A0C969725B}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBF37B9B-2F4F-11D3-B02F-00C04F4C0826}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{026D0AA0-9BB9-11D0-AEBC-00A0C9053912}\Pins\Output\Types\{73647561-0000-0010-8000-00AA00389B71}\{00000000-0000-0000-0000-000000000000}	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{00000002-0F56-11D2-9887-00A0C969725B}\FilterData = 0200000000002000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000700000006175647300001000800000aa00389b7100000000000000000000000000000000	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF37BA4-2F4F-11D3-B02F-00C04F4C0826}\VersionIndependentProgID\ = "CDDBControl.CddbCredit"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5F6A237-301B-11D3-B030-00C04F4C0826}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7298A3E0-78EE-11D0-AEBC-00A0C9053912}\Pins\Input\Types\{73647561-0000-0010-8000-00AA00389B71}\{00000000-0000-0000-0000-000000000000}	MsiExec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	vegas190.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	vegas190.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	vegas190.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3784	msedge.exe
3784	msedge.exe
2116	msedge.exe
2116	msedge.exe
1608	identity_helper.exe
1608	identity_helper.exe
4808	msiexec.exe
4808	msiexec.exe
5988	FileIOSurrogate.exe
5988	FileIOSurrogate.exe
5620	sfvstserver.exe
5620	sfvstserver.exe
2816	sfvstserver.exe
2816	sfvstserver.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
1360	sfvstserver.exe
1360	sfvstserver.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
5664	sfvstserver.exe
5664	sfvstserver.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
5752	sfvstserver.exe
5752	sfvstserver.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4924	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4292	MAGIX.Vegas.Pro.v19.0.458.exe
Token: SeShutdownPrivilege	4592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4592	msiexec.exe
Token: SeSecurityPrivilege	4808	msiexec.exe
Token: SeCreateTokenPrivilege	4592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4592	msiexec.exe
Token: SeLockMemoryPrivilege	4592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4592	msiexec.exe
Token: SeMachineAccountPrivilege	4592	msiexec.exe
Token: SeTcbPrivilege	4592	msiexec.exe
Token: SeSecurityPrivilege	4592	msiexec.exe
Token: SeTakeOwnershipPrivilege	4592	msiexec.exe
Token: SeLoadDriverPrivilege	4592	msiexec.exe
Token: SeSystemProfilePrivilege	4592	msiexec.exe
Token: SeSystemtimePrivilege	4592	msiexec.exe
Token: SeProfSingleProcessPrivilege	4592	msiexec.exe
Token: SeIncBasePriorityPrivilege	4592	msiexec.exe
Token: SeCreatePagefilePrivilege	4592	msiexec.exe
Token: SeCreatePermanentPrivilege	4592	msiexec.exe
Token: SeBackupPrivilege	4592	msiexec.exe
Token: SeRestorePrivilege	4592	msiexec.exe
Token: SeShutdownPrivilege	4592	msiexec.exe
Token: SeDebugPrivilege	4592	msiexec.exe
Token: SeAuditPrivilege	4592	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4592	msiexec.exe
Token: SeChangeNotifyPrivilege	4592	msiexec.exe
Token: SeRemoteShutdownPrivilege	4592	msiexec.exe
Token: SeUndockPrivilege	4592	msiexec.exe
Token: SeSyncAgentPrivilege	4592	msiexec.exe
Token: SeEnableDelegationPrivilege	4592	msiexec.exe
Token: SeManageVolumePrivilege	4592	msiexec.exe
Token: SeImpersonatePrivilege	4592	msiexec.exe
Token: SeCreateGlobalPrivilege	4592	msiexec.exe
Token: SeShutdownPrivilege	4836	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4836	msiexec.exe
Token: SeCreateTokenPrivilege	4836	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4836	msiexec.exe
Token: SeLockMemoryPrivilege	4836	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4836	msiexec.exe
Token: SeMachineAccountPrivilege	4836	msiexec.exe
Token: SeTcbPrivilege	4836	msiexec.exe
Token: SeSecurityPrivilege	4836	msiexec.exe
Token: SeTakeOwnershipPrivilege	4836	msiexec.exe
Token: SeLoadDriverPrivilege	4836	msiexec.exe
Token: SeSystemProfilePrivilege	4836	msiexec.exe
Token: SeSystemtimePrivilege	4836	msiexec.exe
Token: SeProfSingleProcessPrivilege	4836	msiexec.exe
Token: SeIncBasePriorityPrivilege	4836	msiexec.exe
Token: SeCreatePagefilePrivilege	4836	msiexec.exe
Token: SeCreatePermanentPrivilege	4836	msiexec.exe
Token: SeBackupPrivilege	4836	msiexec.exe
Token: SeRestorePrivilege	4836	msiexec.exe
Token: SeShutdownPrivilege	4836	msiexec.exe
Token: SeDebugPrivilege	4836	msiexec.exe
Token: SeAuditPrivilege	4836	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4836	msiexec.exe
Token: SeChangeNotifyPrivilege	4836	msiexec.exe
Token: SeRemoteShutdownPrivilege	4836	msiexec.exe
Token: SeUndockPrivilege	4836	msiexec.exe
Token: SeSyncAgentPrivilege	4836	msiexec.exe
Token: SeEnableDelegationPrivilege	4836	msiexec.exe
Token: SeManageVolumePrivilege	4836	msiexec.exe
Token: SeImpersonatePrivilege	4836	msiexec.exe
Token: SeCreateGlobalPrivilege	4836	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
4836	msiexec.exe
4836	msiexec.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5516	vegas190.exe
3328	vegas190.exe
5892	vegas190.exe
2264	vegas190.exe
3508	vegas190.exe
4936	vegas190.exe
64	vegas190.exe
4792	vegas190.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 3612	4292	MAGIX.Vegas.Pro.v19.0.458.exe	88
PID 4292 wrote to memory of 3612	4292	MAGIX.Vegas.Pro.v19.0.458.exe	88
PID 4292 wrote to memory of 3612	4292	MAGIX.Vegas.Pro.v19.0.458.exe	88
PID 4292 wrote to memory of 4620	4292	MAGIX.Vegas.Pro.v19.0.458.exe	90
PID 4292 wrote to memory of 4620	4292	MAGIX.Vegas.Pro.v19.0.458.exe	90
PID 4292 wrote to memory of 4620	4292	MAGIX.Vegas.Pro.v19.0.458.exe	90
PID 4292 wrote to memory of 2116	4292	MAGIX.Vegas.Pro.v19.0.458.exe	100
PID 4292 wrote to memory of 2116	4292	MAGIX.Vegas.Pro.v19.0.458.exe	100
PID 2116 wrote to memory of 1676	2116	msedge.exe	101
PID 2116 wrote to memory of 1676	2116	msedge.exe	101
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 4168	2116	msedge.exe	102
PID 2116 wrote to memory of 3784	2116	msedge.exe	103
PID 2116 wrote to memory of 3784	2116	msedge.exe	103
PID 2116 wrote to memory of 4572	2116	msedge.exe	104
PID 2116 wrote to memory of 4572	2116	msedge.exe	104
PID 2116 wrote to memory of 4572	2116	msedge.exe	104
PID 2116 wrote to memory of 4572	2116	msedge.exe	104
PID 2116 wrote to memory of 4572	2116	msedge.exe	104
PID 2116 wrote to memory of 4572	2116	msedge.exe	104
PID 2116 wrote to memory of 4572	2116	msedge.exe	104
PID 2116 wrote to memory of 4572	2116	msedge.exe	104
PID 2116 wrote to memory of 4572	2116	msedge.exe	104
PID 2116 wrote to memory of 4572	2116	msedge.exe	104
PID 2116 wrote to memory of 4572	2116	msedge.exe	104
PID 2116 wrote to memory of 4572	2116	msedge.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MAGIX Vegas Pro 19.0 Build 458 RePack by KpoJIuK (64Bit)\MAGIX.Vegas.Pro.v19.0.458.exe
"C:\Users\Admin\AppData\Local\Temp\MAGIX Vegas Pro 19.0 Build 458 RePack by KpoJIuK (64Bit)\MAGIX.Vegas.Pro.v19.0.458.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\SysWOW64\netsh.exe
  netsh.exe advfirewall firewall delete rule name="all" remoteip=95.141.193.133
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3612
- C:\Windows\SysWOW64\route.exe
  route.exe delete 95.141.193.133
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://repack.me/ad.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7a3646f8,0x7ffa7a364708,0x7ffa7a364718
    3⤵
    PID:1676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
    3⤵
    PID:4168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
    3⤵
    PID:4572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:3928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:1192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
    3⤵
    PID:2844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
    3⤵
    PID:4980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
    3⤵
    PID:3580
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
    3⤵
    PID:1680
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
    3⤵
    PID:3264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
    3⤵
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
    3⤵
    PID:1808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
    3⤵
    PID:4672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
    3⤵
    PID:3132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,7266988136636154981,17358452763376113986,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6032 /prefetch:8
    3⤵
    PID:724
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /x {FB6AD140-FA63-11EB-982B-00155DEA5CED} /qn
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\MVP19\vegas190.msi" /qb SF_INSTALL_DESKTOP_SHORTCUTS=1 APPDIR="C:\Program Files\VEGAS\Vegas Pro 19\"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3612

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:220
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6FAD99052FED70B8DB512DCE1C93D45C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4168
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding F485BE87B10FB4ADE90ACA31E967CAF9
  2⤵
  - Loads dropped DLL
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" Install "C:\Program Files\VEGAS\Vegas Pro 19\bdmux\BdMuxServer.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5280
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 0 -NGENProcess 21c -Pipe 228 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5196
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2d0 -Pipe 21c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2552
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 2e0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:636
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 2d8 -Pipe 22c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1180
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 0 -NGENProcess 2f0 -Pipe 2dc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2072
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 0 -NGENProcess 330 -Pipe 328 -Comment "NGen Worker Process"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3744
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 0 -NGENProcess 314 -Pipe 2f0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:6104
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 32c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5984
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 31c -Pipe 2e4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5888
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 0 -NGENProcess 320 -Pipe 2e8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1224
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 33c -Pipe 2d8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5580
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 330 -Pipe 33c -Comment "NGen Worker Process"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5328
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 0 -NGENProcess 34c -Pipe 320 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3516
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 0 -NGENProcess 2d4 -Pipe 348 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1708
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 0 -NGENProcess 334 -Pipe 308 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3992
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 0 -NGENProcess 310 -Pipe 2e8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:212
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 330 -Pipe 358 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3412
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 0 -NGENProcess 30c -Pipe 324 -Comment "NGen Worker Process"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 0 -NGENProcess 310 -Pipe 360 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:6116
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 0 -NGENProcess 364 -Pipe 338 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2528
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 378 -Pipe 2d0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5844
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 0 -NGENProcess 368 -Pipe 2d4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5808
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 0 -NGENProcess 34c -Pipe 378 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5636
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 0 -NGENProcess 398 -Pipe 380 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5412
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 0 -NGENProcess 398 -Pipe 394 -Comment "NGen Worker Process"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5580
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 0 -NGENProcess 3b4 -Pipe 39c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3744
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 0 -NGENProcess 3b8 -Pipe 3a8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1268
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 0 -NGENProcess 3b8 -Pipe 3b4 -Comment "NGen Worker Process"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3272
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 0 -NGENProcess 3b0 -Pipe 3bc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5152
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 0 -NGENProcess 384 -Pipe 3a0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 0 -NGENProcess 37c -Pipe 3ac -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 0 -NGENProcess 37c -Pipe 38c -Comment "NGen Worker Process"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1860
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 0 -NGENProcess 340 -Pipe 34c -Comment "NGen Worker Process"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 0 -NGENProcess 340 -Pipe 350 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4128
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 0 -NGENProcess 398 -Pipe 35c -Comment "NGen Worker Process"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5848
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 0 -NGENProcess 384 -Pipe 3a4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5856
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 0 -NGENProcess 3c4 -Pipe 3d0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 0 -NGENProcess 3b8 -Pipe 388 -Comment "NGen Worker Process"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5408
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 0 -NGENProcess 3ec -Pipe 3d4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3536
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 0 -NGENProcess 3ec -Pipe 3b8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5344
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 0 -NGENProcess 314 -Pipe 310 -Comment "NGen Worker Process"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1944
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 0 -NGENProcess 3cc -Pipe 38c -Comment "NGen Worker Process"
      4⤵
      System Location Discovery: System Language Discovery
      PID:920
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 0 -NGENProcess 3ec -Pipe 384 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 0 -NGENProcess 3dc -Pipe 314 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1512
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\VEGAS\Shared Plug-Ins\Audio_x64\mchammer_x64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:6048
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\VEGAS\Shared Plug-Ins\Audio_x64\sffrgpnv_x64.dll"
  2⤵
  - Loads dropped DLL
  PID:6008
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\VEGAS\Shared Plug-Ins\Audio_x64\sfppack1_x64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:732
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\VEGAS\Shared Plug-Ins\Audio_x64\sfppack2_x64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5968
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\VEGAS\Shared Plug-Ins\Audio_x64\sfppack3_x64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5920
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\VEGAS\Shared Plug-Ins\Audio_x64\sfresfilter_x64.dll"
  2⤵
  - Loads dropped DLL
  PID:5952
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\VEGAS\Shared Plug-Ins\Audio_x64\sftrkfx1_x64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5852
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\VEGAS\Shared Plug-Ins\Audio_x64\sfxpfx1_x64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5888
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\VEGAS\Shared Plug-Ins\Audio_x64\sfxpfx2_x64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5916
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\VEGAS\Shared Plug-Ins\Audio_x64\sfxpfx3_x64.dll"
  2⤵
  - Loads dropped DLL
  PID:5796
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\VEGAS\Shared Plug-Ins\Audio_x64\xpvinyl_x64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5744
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\CDDBControl.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5716
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\CDDBUI.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5684
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstproxystubx86.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5640
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\VEGAS\Vegas Pro 19\sfvstwrap.dll"
  2⤵
  - Loads dropped DLL
  PID:5616
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding ABF8CEF0A16C386172BE76A3F961F3F0 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5576
- C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe" /register /user 1085
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5516
- - C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe
    "C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe"
    3⤵
    - Executes dropped EXE
    PID:5448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:244

C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe
"C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3328
- C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe"
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Program Files\VEGAS\Vegas Pro 19\x86\FileIOSurrogate.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\x86\FileIOSurrogate.exe" 1033
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5988
- C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe" -Event MxVstServerEvent_3328 -Vendor "MAGIX" -Product "VEGAS Pro 19.0"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5620

C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe
"C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5892
- C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe"
  2⤵
  - Executes dropped EXE
  PID:5908
- C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe" -Event MxVstServerEvent_5892 -Vendor "MAGIX" -Product "VEGAS Pro 19.0"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2816

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4924

C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe
"C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2264
- C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe"
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe" -Event MxVstServerEvent_2264 -Vendor "MAGIX" -Product "VEGAS Pro 19.0"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1360

C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe
"C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3508
- C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe" -Event MxVstServerEvent_3508 -Vendor "MAGIX" -Product "VEGAS Pro 19.0"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5664

C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe
"C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4936
- C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe"
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe" -Event MxVstServerEvent_4936 -Vendor "MAGIX" -Product "VEGAS Pro 19.0"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5752

C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe
"C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:64
- C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe"
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe" -Event MxVstServerEvent_64 -Vendor "MAGIX" -Product "VEGAS Pro 19.0"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5908

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3616

C:\Program Files\VEGAS\Vegas Pro 19\So4HardwareDetection.exe
"C:\Program Files\VEGAS\Vegas Pro 19\So4HardwareDetection.exe"
1⤵
- Executes dropped EXE
PID:3664

C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe
"C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4792
- C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\ErrorReportLauncher.exe"
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe
  "C:\Program Files\VEGAS\Vegas Pro 19\x86\sfvstserver.exe" -Event MxVstServerEvent_4792 -Vendor "MAGIX" -Product "VEGAS Pro 19.0"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5368

C:\Program Files\VEGAS\Vegas Pro 19\vidcap60.exe
"C:\Program Files\VEGAS\Vegas Pro 19\vidcap60.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Control Panel
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e599469.rbs

Filesize
490KB

MD5
b30adff44008b34f6d512d21a7405fa4

SHA1
0830183ebcd0f94c890d69b0dee920e08dfb0fe8

SHA256
4982908024da73dcb257663f1da8b5b1b2edd9ddf683b3a49b9e3fa56b4291c0

SHA512
ac95fcf08b15bb65abe1c0b85123987ac71f44fe99bdba8928cd029cc640d3854b3373f215a8b42dbd8b79c41913a48c5a71c0d4105a67b1615794180ffd72f9

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\compoundplug\mc_dec_mp2v.dll

Filesize
559KB

MD5
6f0f01a779c9c98c2ee93f00938c1b0f

SHA1
4696d49c9ffc567b5561531755311bdd42e9fee9

SHA256
2bb7734a16e30da5a6e70dd4a646cd9dfc7164a314d051e9470bceac7fffd2a7

SHA512
c56c71c67142e24e65df11dbde2dcbb6940ac18ab9ce4a4de6d1eae5a6ff7639ec3df53477f0fe201c5ec91941f081069aaaa86f860d6304ae2c4f0645391a2a

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\compoundplug\mc_demux_mp4.dll

Filesize
833KB

MD5
3d5137c0af9fc365c5925e346a191eaa

SHA1
1752a35e4bfa23a2e7eaffbf99e832e85a67e5b5

SHA256
6f46e8258679bf5bdbc194f2310e490fadf6bf3a83257a27e25a261b8aeea57e

SHA512
5f553590c55c3dcbabad24b16423174ac0a661aea786621c683dff926185173f9974dbf33b22676db1f41a5d4da7b5f8efbe8a6df74db66126372825e81eafe9

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\compoundplug\mc_enc_mp2v.dll

Filesize
956KB

MD5
c33e32e26efe7cc986eef53d2e3d9e71

SHA1
8c13a1b028cb4ce1792edbd2caea1e3429505388

SHA256
9b8fbc98d0906f99039503f25737fc4c9aacfde1cb597b477af3a09f53064002

SHA512
924f24ba7296fc74ad8c05f11c49630488be966a002c15a87bc69385b7a743cafaeb5eaac3e93447534d6fa181c94ca787dbe7475bae9bce078722cdfd678d40

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\compoundplug\mc_mfimport.dll

Filesize
1.0MB

MD5
87ef9b25f0fd80bf7d96d4dba31057f9

SHA1
96b7ff6f6f71659c687abb5d07fd5b3f4241e34e

SHA256
8a3f18a4dffa3c5bae8b8f20de122d9ecbbdfe319f3b88a1602c91104d9ab4b5

SHA512
3decad40beeade189d64c27aa8609b6f9728137897d3959a8fd0127d1650b958ce77041236a955995bec365f302bd8fe342fbc493726b605c4051b88312fd50d

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\mp4plug3\mc_cpu\mc_enc_aac.dll

Filesize
320KB

MD5
5ba2c65c96662433fe83f0090b818cb7

SHA1
ef5c67eae2cec05c3e57de73100dd5bf0e44f9ac

SHA256
d4b813eacdb5d548b3c3f26c348f47037a39117db313036ac814462a7c95e4e6

SHA512
8b745afb9f2521a4a392d942a9b1be9f0341001833a2f234a38c93c16fef2eb112f6526f3e749bdd3568bbceb45fca554bd5b4a9513f601134479f594fd99a64

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\mxfplug3\SMDK-VC110-x64-4_0_0_scs.dll

Filesize
4.3MB

MD5
25654b68cb97cc3a38a178bc22931a57

SHA1
370050ffb4ab143dd693ed5ea5ae84b73ccfdac9

SHA256
d179d7fb863d8e44e04c353696b75bc21938f6eb93ed2e9721ac37f3a1c4f716

SHA512
99fdfa40058d5a9b3997e7b243259ce65a61375e9352b3e98645f1a4f497b44bda3553edc84d8ce8cb84dec14678a96f6b05ab2935640d98faa367e264811bc4

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\mxfxavc\mc_dec_avc.dll

Filesize
7.0MB

MD5
fedaa0b67a8e5004151542889fc49129

SHA1
c77273af5ae7e339b5248569159f5ac41df7cf57

SHA256
d34d1e581a07301be3070454a1f29bd3b9d2de2683ea3b782649560511c08ae7

SHA512
8c474dd7987771a217ba5df5b6982130e6a89f22b5f65c5b3bfd0a297a2a80091b9f6fb2d4e74c0e98b48de556d76d1897b2ead818cef14f25832bac6ae71d03

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\mxfxavc\mc_enc_avc.dll

Filesize
6.1MB

MD5
3664280a8e488dcb10e5c899b4b83c43

SHA1
46ff56b2e9a651479ec268cf0ac1c3521ad4d591

SHA256
48ce6e8072e8c064030bc3dd3f9330d9c661bbbecefe4b8d9df6426a23581340

SHA512
befe3245e9e1487c24cae50a3de4ec1b532f27e63b72abe28c5178ba54ef123299dbdcf7277a995d4eeb0104ba70b38846a20b9817eb47b0b8f75d7c7eafc482

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\mxfxavc\mc_licensefile.bin

Filesize
128B

MD5
238a743f0e97323ea57188d64dd03d69

SHA1
6c2efc48071d5749e84709f252306f9afe18dfd8

SHA256
e7c29e324195c06eca9a2cc6300759985129169a25a082e7b45374f0250fead1

SHA512
030022ac2d73bd5aa91d7c478bee565692e0b84a94de8e44332ff61ef31f2e03bfd866bad6bf5a246042b127ab7e4eb0859cabf00420499dded1a1f3a2caccc1

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\FileIO Plug-Ins\so4compoundplug\mc_dec_mp4v.dll

Filesize
1.3MB

MD5
343c6a76a79ccb652d5c2397eff52168

SHA1
ecb7e4c4ed3f43330470acbbdaea28b3ea67cb18

SHA256
d608894292a4b8cec3fb8d5c1b43f1be71d8e3f3d58dd375a45b50afedb2d202

SHA512
5e7c410aabce0963c1ea27961c3c60f4ed0a6f01ed76b695f259398f55e6648d8ae1295d00d181e0bf0c671a0a05962423f85b3c96ce3382124af2f69cee86b0

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_de_DE.cfg

Filesize
732B

MD5
383eb5679bb7e0741b1f4d4da17ae2ac

SHA1
158fcd9edfc4b5e0530463835509800dcda176af

SHA256
5c2a877404fe0e0a5127f8fcdf4858d72082489f54bde7bbbf19c79fa7822578

SHA512
18dd8c24a36d3e5f4a41c33c15ca84848a8c27198921c71dd82a91bfa4541f523c806cd11fb36bb7ab5d44c4a3d8a5249df83055ef72e9d0d551a4e7a7cf09b1

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_de_DE.cfg

Filesize
13KB

MD5
2fb37ed278c98164d5dec6ccc639843e

SHA1
87d4ba46dcac7a928d7ec348b503f24345c94daa

SHA256
89b6670db049baf2d2d9445c82491a15bd0a54afa114dc43251197724335544c

SHA512
fdb6c74f8e2e0c18149213097995b0353173b2d7a025f4f2ad0067743aa29beb03e68362b86d971e3eb9e8c0d3e0fdf54b39d46d31460d1570d4e7f2739680b0

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_en_US.cfg

Filesize
486B

MD5
e02ed43197ca041175d46cd11692e8fb

SHA1
2108bf34bb5387362e280abee5f5d1d2f94381e9

SHA256
adb2614946d23ee63a4bfced0b7cb71cc2c521c21496d06c83193ef36846d5a4

SHA512
97a82a811025917320764a83c76cd7c9df776299fc0d031d9862321076091733f58e02001e79eebfe4d5b3b066d2c3a6f69a2581465f5dd38fa392350bd0255e

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_en_US.cfg

Filesize
2KB

MD5
855c3007219380313f1bb7a9d330f413

SHA1
430b31abeef7e5582252ca06db3627dce5c10af8

SHA256
6869e1c56ec9eddf7720f7d5006b1ef2686ea63a8c9c975e1161a764057db207

SHA512
f4fe7d4c9628f925070b7609b0e6c82c0170a6484d0134e74475f4b874e0e15e25cdcf3948f5d01d0c7fe4a25e4ae51a92753d1d4e29c489557a85601bc7ed3a

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_en_US.cfg

Filesize
2KB

MD5
d0d7708f194db1fb2363f1a50149a906

SHA1
d52a5b9756d9f6719c283bf4d7835db411dc3d6b

SHA256
546ef782140b3fb58fc9e65656cd9529b105aa72269d2be3292168d6efca1700

SHA512
653f660a3d7880218a1cb00a17f843926ef285efef185afd68c46a5c4f8a87004ab77c63222f2c304f3838fce413ff3a819b7428ae8ec9585f82164c012bc0cc

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_en_US.cfg

Filesize
3KB

MD5
02f349c422277a6033a4a6b9cf2c6667

SHA1
c92cb4c2a4128e5b1af1ade52f2cabc9048bc9cc

SHA256
2ff3fc4d6a8caedce52a20dcefa2461756d058c9e874eeb2a561f33eb78011e1

SHA512
7eefd0b3a7922bd6f43a4b9c2fa7230bdf32addb9727896f0be2b019dbc7ad22ded1337a1cebaaf1aa4005ebd479e2a155f3d134e12882ca2e0e2961da80b171

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_en_US.cfg

Filesize
5KB

MD5
c000a2b56b55644c593f408896dac94b

SHA1
4691fafab8c75eae8bb65494f9de156d01450dfa

SHA256
f497c1c845dae5c9364d397665c7d4c4e2b2c887b689f503bbf05ec5d1ebbc0f

SHA512
bd63fc177ea660dbbeb1f909db8bb82c710bce08c4eb92237840e002e19836088f48eff4d1dd45b8db69a7bb1a2421d0fac2df62cb7fb69aedf2990d1ea32ce1

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_es_ES.cfg

Filesize
3KB

MD5
94a9cf70b570601a8240158e718f601b

SHA1
2231da9145e8469ddd438ba93a571d0a52cae2f0

SHA256
267d55fff1d287af06c1655b2ee1ed0e9767f954ae5e537ed854ed7fb1334414

SHA512
051c2c36e53cf66365cf8af13a0218230f57d27793100eee3309f937938c20bb3f48ec7dceebbc1c0594fbed81671993682028a041dfd12c78a6ecf6be5362c8

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_es_ES.cfg

Filesize
4KB

MD5
17e8eec849f072887366e3b11ac62301

SHA1
6d64eab1b7ffb87632cbeb29d27d686c5dd84bf6

SHA256
0eace35d780c7957f530489eb45685bc8ce70a7396e0842147bb2d7133ca06bf

SHA512
2dbccb4970c09addc9ceecc510eeeaf0370b9fa685d70c45c8fae4a520d1f2d302e5f55280b5400f3bc3885e96f16b8c758ec27015252b7c45d953a7dcc0b3a7

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_fr_FR.cfg

Filesize
6KB

MD5
988c04fecaea9157a167247d11e9f518

SHA1
723a547ee9c260ebd2c5f30b8708ba2d23323701

SHA256
cc1caabd9386178f30feabce7e78d9271fdae21aa5050643e9be7d41195b6d40

SHA512
b42a19b00e8f0797b2d01ffe94676f43d10841e81ece08eadb61d6d5e3d42f7fff634a76eb38fa42993b9bdbc92f9ed020fee556f7457ad719dfe2e49c8ad916

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_ja_JP.cfg

Filesize
13KB

MD5
71b2fdccf02d3acb1b431ea711b38961

SHA1
8d77fe95d2092535e8d21953ab5c97d0424afe87

SHA256
77d4a3c8a9453c4f9e4649fe238110e158b6d96a45bbb17798847f10a7fb0de2

SHA512
4dde4417d1de97b0a9abb86b71259b06b445c8d7e06799479bff359fc2191fda8ccb4e63cfe13504ef4258ccba8797461e981bad8206bc7ce81f2e98cbef821e

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_ko_KR.cfg

Filesize
13KB

MD5
3ffc22caa816a585fa881aeecb86c369

SHA1
9e03b32a6be2bfb6e324f7c2d3bf0d6eee7d6005

SHA256
aaa739db8f6430efad0ff91e6688c8ce9abcf352766ee1a43f6cbf10b49b6789

SHA512
12db1fda90d627643f57c85a92fd8c7079e3b42a069cc5d77b8206c1ea50d79e6b29b5a64161b26d32d30694ec849991af79fe7a81f9e21a1a11ab216039c7d0

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_pt_BR.cfg

Filesize
302B

MD5
186c88b2ab5b4c5c566053da669eeb51

SHA1
aaf7c651972bd148c549ad704236306709c8b415

SHA256
4d1a8cd4cf3f8ec8c3e1291c0ffa697f460ee689f5b07582facd49670cc40832

SHA512
cbc06f2846ac6915e7fbe49c00c73d43bb9ee728bd6704824be67e9680787439b9c2e60283a588ab5ff114fb91f1ae24d13441fd7d638cdd2a9e46b5db2453ab

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_pt_BR.cfg

Filesize
852B

MD5
690a4f43b703eaa77185b04a34b7046c

SHA1
2c75548f8a4b1e9da6fe512d7b2d76b7f4bae8fe

SHA256
f4644e880807f77e96788068e929b124886f103c1bfc80a5eaf11a803a8cbaa1

SHA512
f3ce37fc9bbedc2ccc5fdb5005b533b9c207c6387d35dd3311b4bd673a5388003a14bbdae5c3ad2589161c7976bf80b3df03f114212caeced9c7271532c109a4

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_pt_BR.cfg

Filesize
4KB

MD5
66259a7b9fefc38095d99e5e39a32284

SHA1
fbc2e4b1eb220e7ae018b0c9bef44e056bcc87ec

SHA256
10a11ed1cdbbba075c72af8e93fa9547385f6e1cbd9944836fa269cae148aa9b

SHA512
df910eb3302d5ee536c4e36a6d99772d1f263b15dfd4029c2a6971e5c80c954948df6581ac6718230713821e26342415f8c289177f98d3856e14b35eb744ba27

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\Language\local_zh_CN.cfg

Filesize
13KB

MD5
6ff1e8b81dd7766f58fe957127844e0c

SHA1
34fc27cc9ec4c7b673f45ed65f8c2be47ae7e11a

SHA256
8085ee1789cdcfe8022c1972bb06307f81571e70e9599dcc0bc04ec150dfd325

SHA512
d1f48a7c21c81665f7d1fdec3f2ab7718cbc69247b0e2eb1e38822f2b79af6bd5f2d521ae54d6814cfc08d83ff10b48d00339f8f7e13dba54e5a9de8a0723bf0

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Help\EN\36.css

Filesize
55B

MD5
afa7ee18ebf29250e6c1d58d117b0a8f

SHA1
82848e876d0559e24d95cdc27f4d81a20f96acd1

SHA256
ba77806fa2c2ffe1f2c896b4340eb169fe0cd0f7ad0706e1b4d6cfe8dfbc03f6

SHA512
054d13d69d68f8c3af0b9eed577d325877bc987699b29f622534f216a07c66f081edf16e6aa2c01635a0b9236191033abc7a904633fa918eefde87cb6baa61af

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\MAGIX Plugins\essentialFX\Presets\Compressor\[Sys] TBX160.efx

Filesize
728B

MD5
fc86d688081c4bf09dba3a066433c1ff

SHA1
879d015def134b14f9ac001207493a8bd1cee4d1

SHA256
330a6f77d0ef56f14345f860df9f5fd8d4f41d5de4c61e147f87ffc3aa5756e4

SHA512
c0c858fdfbc041419d51e2061aeae8de20cef583f0c50c44a3d1e4ac2d5bf18524ae2a0920b097aad99c00690b3e386a74362eaaa2ff6095131ee30729acdea4

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\OFX Video Plug-Ins\MagixAiFx.ofx.bundle\Contents\Presets\PresetPackage.ru-RU.xml

Filesize
10KB

MD5
efdcffe1d1f4bcce6cb47086d854e04d

SHA1
0ae2e73fffd9a12fdf98b6d5fccf4831601d5960

SHA256
403d94bf4af8c645b1782a2b06964fa8a4472836f46074dab8b36817083ff4f0

SHA512
fb1205972e8323085a3c5d14e07694b778faf898461a37f90a42b4aaf2ede46864762feb9b31698c1f41ef63dcb8f4021fa9e72bb1203621c08fa5ad605384ff

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\OpenColorIO\configs\aces_1.2\luts\linear_to_rec2020.spi1d

Filesize
76KB

MD5
67f295e9f8be3d15aa161031f3761b7c

SHA1
89fc2e9845ed297e16c05823b655520755a234fc

SHA256
4aa8c8265b737c5dd8604408899ff7ee9f70780f8b0d49ead183b48699a19b5d

SHA512
2dd2f2da4559a9f3e4f6363f5b96d3d94655026985f051889bb05fd6628d0051dc06632fff322e9057db9e2c71281d29ba1ee5a2ccab46813db26c558a7db3c6

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\VEGAS Pro 19 -- ShuttlePRO v2.pref

Filesize
11KB

MD5
f380d12cc48bb1b80f341d4893056766

SHA1
7c5b0f8bcb0d93162f90d9a70198574b2351350b

SHA256
193812e7299e9f56a362ec98f943986d3a216fd15748ea6c563baf9a673001b4

SHA512
a787ffd59a3ccedcde0bc394c6ce1967ec745939a063036f8e26fb84afb6cadf2a26d45598151e5f4e53c8b4d54584b5012722bf44eb8338fccc71f25e66158b

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\WidgetLibrary.dll

Filesize
710KB

MD5
564341060fac0944843969b57c96cf17

SHA1
7ec68b81695cd01dbc65bfcc55307cb884a489bf

SHA256
9f62c97466e0977d3f8e97526e3314d14e8d50d0a40770cb563b030ff73c4f9a

SHA512
54f5dc52832cc8358d9cb13767ed974881be65587234f2c330a9f048fbec831dfaebdc680726f608eb973caa928ef41dee9cad9f89404801de0549a2118a91b5

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\fonts\MarkMyWords.otf

Filesize
104KB

MD5
7c63423376c2f45b7d76537c933a95cc

SHA1
58561511026f8761d1a90a6bee79d4a152b420f0

SHA256
57c478c62fb66a6dcc1281e1f92f741fedeb2e60ad42b4a06825336f1f3506eb

SHA512
e15d075df3574bd7fc9191506cb113ed17767d1a50cc918ea1d7c75b22c5165a7b5ad33ddb453c5c7d4efa6ad182f90f2a1a1857c614acbbada34202e6c79a81

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\install.cfg

Filesize
1KB

MD5
3b8d92038599effd30d81eab47b37c0e

SHA1
2abd9aefae20234e471f672bda05542d2af88ee4

SHA256
dd9b81636eca3db51490c6a31f5e5a58f5371bed3e0142bfd155c13382201f3f

SHA512
59c98d518d39b76db9b2fe550d12551ba4bf80cdc9b44cc24a53cc5105b4efb93699b70f428304b7573b51cbae1994fbdf022eb05bc9c7ceac50bcba24dcd42e

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\readme\HTML_ASSETS\release-banner.jpg

Filesize
3KB

MD5
6d5dc46f9bb6ca3b4991954c6ef4117c

SHA1
20a06a4ac4b1732ec0e676c507fc4a2860bea698

SHA256
2519a81c7d217824efe2c734c940d6a29e752df20e134b64b777a1506f306d79

SHA512
2abfb6431f3d42a785baff5dcf60b9798f0d9627ae47788cc31970a5c6c046412e47bd332d7b42b6e6bc5074eb22e17938a68921c1beb48a10c0d1365e01368d

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\vegas190.exe

Filesize
44.1MB

MD5
9c724aac54c433fc73f6b99a6b6a8d1a

SHA1
c713866296d1ef70ac959f07a30082c9ef08e912

SHA256
ffbf807e569d3c2bcea776d4bed677d18b38bf31f47d5e7182e0997e9e6b00b5

SHA512
fa869ea538a6cacfaf14fd3fdb424484dcc9b45ce8f1ac7b4431911937b1a9f6b679d1061d88041291cd53b3a5b135835497c7078b8cbea821c1c4c7a61737c4

Download Submit
C:\Program Files\VEGAS\Vegas Pro 19\vegas190.udat

Filesize
604KB

MD5
e34227582523dd5d6450d2a48e742d79

SHA1
0e7ad3795405d5eb2122fde5f0fc66ce74e1c855

SHA256
883986d00df7669a1d573a76317f036521232b0ad80a1b5f9cefbbda788f8932

SHA512
cf1ae9fa909655e7a639e382006cefd35ed29805cfdc92d48beec484794f79933313f6c7b13070bb9300e5c7829a63266048b5fdeaf84cf27ea27640f673531c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
288B

MD5
fc2ca4d12009853b906e6fdcff238ba4

SHA1
9649b848321a3813a21bdb6ddc61c2b73d04c8af

SHA256
23595067e4c2bf981bc99967b8609407d3de2a60edc60b3fb43b8121c31d428c

SHA512
e79eb13a47bd017c2b0fd5fc65a807ae4cd7f112543160ce09e63699032ce6f141dab2929745af0c56c915159d94b6ef5b1365f542e69f497e425d78603b1308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1019B

MD5
95cb47757a1526e877eaed763e074181

SHA1
947f5ac22fcbe6234ed57550cd3a092835ff82a7

SHA256
e431a8d31de11f988071a74d60e00d061b213b951c38dc10ccdc1fbd1fc2563a

SHA512
e70c41240be92837234838d8f76afb6277ab35e391d18db099a0ddd96b9b7a31d3df6ab58f32922ad5e49cfea3eda0324cf0ea5cad1edfa1ddb946175861eb39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54f17a5ca6da62b15d01014ad3106c25

SHA1
922d47687cb067705371528535f36dc1ea59aa9f

SHA256
d9f773451f92dde7362ad6a6dd5ca049ca4e8996e567d6f2b2285f26c875936d

SHA512
908d8cb1953f4529fa19e6276f4022b1c3b50307ebc6b5c9e684d96b9f2279f262ef750b3ffee557d61f38231fceaed3f26f100b1507c421c6057ac77cfdd977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d7ffa699575bf1e982860b8a1f964b15

SHA1
0b24cfde37ea453d223df33511b3d87bccd52094

SHA256
7bd714d94e0e178331c4a55b3ea48ee5ed0df57c8bb6878e609329007654977a

SHA512
66f62214e39f2255dd11f946c931b1018efbd58d0bd6806dd4b0eb3a05db8703970067aafbe3098a289082d726f4035e084976d836c334ffcf80f0f187717440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
152160effda655b22a12ddc2e62486b7

SHA1
1977fb26cdbdb03ce63ae37463516c1c5265638d

SHA256
91584a72fe6bc778b63780f5fe13e1118f60a35e75fd51ec69af8908e3a535e2

SHA512
24efe0a3510f52731f47ec648e621eb7aad227331f94f6b260b123b865b0f179b6841d45e5ffb41367a778c36ea179ea6eccf629b12359355241b0397b67a746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb3fef312c353b2d1b0c0c1a85fdd232

SHA1
b7804b05b4afc2ce0d036b43eb8ad4bbf646482c

SHA256
b6a54528d821e6ba9af2e09250c5239b0a1fb51df1dfae34c4d651bd024c7825

SHA512
1de96ffe841291019c049dfc17dcbf005b540d8a4deabb58944444aacbc417f2c707b895843ee66d45cf8778a3e503aed20179dee56df120d882384a8d505b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6e28f4b212618f67a03b6fcbdb0fc0ec

SHA1
fd1f70132987ea92cf55ef36ae725114f793b26b

SHA256
77ff40221edc1221928dbbd759b230cd72dbd6ed10d2786bc4a38a960777d1ae

SHA512
09bc288b8355904416492e602990d601d0f5df45b4726059c51baf1d6ec81e6f010218386fbce4c3e0ec427d611503593a3814efd5152f1191833f4082f7c910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
77d7ecc88fb89e450044a76822e733c4

SHA1
e544846d6c2663efa7a98a7c2a9e201711f17663

SHA256
05b6d6dd9283458402339ef2905bc20a61f1908e82ed96ae0304d7c14d465953

SHA512
1fc1412b338b29e81ee349ced5fe55110f48ece324a5bef620a66ebfcb5da3e01885ee2486c78e8eb68d53a8472a586fe9b8f47839e26eacbeec0f93c35dc599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
246cde26a9bf013c58bbe1494a4ab5fa

SHA1
a2269c2eeac66522866e604e74d99e004065548d

SHA256
7167e454b5b2203e6a645a561375ada9fbb8c4114c106a53dbb6f974059d7a3e

SHA512
34100b30872022c1fa64f00e0ddae70d84a01139dbeb24be95f0b98303d75389509ca8ef2db3cec3408e90cecf98a66bf27712fb50220b49358a2b6da6716bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVP19\Program Files\VEGAS\Shared Plug-Ins\Help Files\mchammer_x64_esp.chm

Filesize
11KB

MD5
174a41bafb43045e170b4419c3f518cb

SHA1
69150c318384d2109b286f5c195abee5212a7830

SHA256
b3fa12b21aa606ad6b8fe57141a081c675acf9ff078349859eb7eaf20cea7792

SHA512
e3f1db1bcd21c2aadf0fc805ab63223a296e77d076b72d32764f154c15cd67744b5194be096d8701199ea0b12ccf8edd1e72b358cc93538297227a8c4a560acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVP19\Program Files\VEGAS\VEGAS Pro 19.0\FileIO Plug-Ins\aifplug\aifplug_deu.chm

Filesize
42KB

MD5
bc7c77b1d2be14eea6a21cc561575117

SHA1
feaa3909504867216508886eebdd15ef375c7592

SHA256
1edb33ef5b285c2b064249c14256b83157f00c732b2f508fb23bd352a4aa1389

SHA512
f6436c7d2ec14e28beda5d7bb87a6e0f37700626f1e0a7cc81ea0ea6291cf572b1917b6601fe33381c58a13991e2b74707626f00bb1ea6006a75f0f61fe49454

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVP19\Program Files\VEGAS\VEGAS Pro 19.0\FileIO Plug-Ins\aifplug\aifplug_esp.chm

Filesize
42KB

MD5
3465d53eaadb5281a6e4d365d8fc6840

SHA1
a6d42c4a7e5decbc335c29a1e2dc0c5b26855d25

SHA256
d1328fec9b03bd7789437e11cb084c67c9a3a31247809db8dae3c4f07508b704

SHA512
6e6bb9c5d98c2f722dd282074495a0a712e6bb524e2d8c6f426c8567b1bcb80a7fb51bc70649e7668f40f38b1783ea80510f04fd844e0178a0587e827d468c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVP19\Program Files\VEGAS\VEGAS Pro 19.0\FileIO Plug-Ins\aifplug\aifplug_fra.chm

Filesize
42KB

MD5
11e03a790ddfd1112587d020165d989a

SHA1
95fcdb8e9568d0d049aaf2da7b5b5ccb59a1cbe4

SHA256
56f4882144e4d787c643208fa372496dea696065f96971edbf1220f7e1648228

SHA512
05ce55290d203100f05d2aa293cc16fedab642e0cd13cc363fdd46bac49b21f7dcddab3df2c174c60e0a0b722fbf0567efdf0e45b8f385675fd94ca0bd56487f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVP19\Program Files\VEGAS\VEGAS Pro 19.0\FileIO Plug-Ins\mxavcaacplug\mxavcaacplug.chm

Filesize
43KB

MD5
0f1fb541827cc6bcc3dbb777c00ca3ed

SHA1
18e68b072c1f24eadb0fe10353ca2725eb1e6869

SHA256
7c770fdb34b37cb6140c8adf3482613aa72dc51f989b9915ff7c45f882a1a81a

SHA512
d26a6d94cafb33880c4bfaa67a687e3a3d68a3851ebacead9a590d611b23e8c1194bb99296f4ac540c0e39790716a80deda52686fb335a2b1611f6abc8c7f8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVP19\Program Files\VEGAS\VEGAS Pro 19.0\FileIO Plug-Ins\mxavcaacplug\mxavcaacplug_deu.chm

Filesize
16KB

MD5
b28fb870f7ac1fc58835cd538f0b3827

SHA1
6535d439db0938e9ca0779e07c6751a111c00183

SHA256
a21893c188660edbfc3700f646316d496bcf7ded8603ef6c9f7852d02ed437ef

SHA512
88fe27c5ee62293ea08f54d0e30d96e37123590ce80dc8b77dc4bb338e03e11c363dce7c75a41824596ea2e55e290bf4d69b9e48e66e870d6bb4e10323d2a78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVP19\Program Files\VEGAS\VEGAS Pro 19.0\FileIO Plug-Ins\mxavcaacplug\mxavcaacplug_esp.chm

Filesize
16KB

MD5
d403b68f94df24047f1f5c06ceb438ff

SHA1
fd41dd09cab1c9b522826715876fc050d3b444ae

SHA256
48a9e9e9a1e5acb2d9afc5622b7decee6b9842a7c639b596247e3dee294b4421

SHA512
45e080281977fad0ce4e2bd268824309d1edca0ff97720ba0aa10d11cab2c0699fbf8746fe68ffc97657787b4bd051a006f48cc28ceb7bd4a2b882eb19e498bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVP19\Program Files\VEGAS\VEGAS Pro 19.0\FileIO Plug-Ins\mxavcaacplug\mxavcaacplug_fra.chm

Filesize
16KB

MD5
24bacd15fc74bb26c48bc6d5b8ce4c98

SHA1
d1f1366025fd2bf0dd5d0a0b3508bc352e77a940

SHA256
c0ca2de16679f5b6f62359cd22bdf69bd5b92dbea96909d6d5537d08c426fc4f

SHA512
fa714f4e227c4e0ab6bf055bf8df7c60f59e3c3dc9f36120c770894cba67eb258269d2a3a285f730b1cbd2544811f504aff64c318fd32fba0fbe562317193f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVP19\Program Files\VEGAS\VEGAS Pro 19.0\Language\local_en_US.cfg

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVP19\Program Files\VEGAS\VEGAS Pro 19.0\OFX Video Plug-Ins\TitlesAndText.ofx.bundle\Contents\Presets\PresetPackage.fr-FR.xml

Filesize
123KB

MD5
97ea2689962ab8cf98f33493ea3f5452

SHA1
ab98a4327552f8ec5f7f735e406355e714454a33

SHA256
783bd330fb73ea7bbc07e5d68cb4ddb7f7e72baea0f2b03b33123b8acacd06fc

SHA512
f0ba296ec3ed0c2637c7ed640f50f460d5ac9d7b17c704a2598ae977deb36fcbd623a135bd870f96c6c4a231f5c37b30fb1ceaa8bb9cc200698df801a8456a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVP19\Program Files\VEGAS\VEGAS Pro 19.0\readme\Vegas_readme_esp.htm

Filesize
39KB

MD5
75a99f02cd8a8dc0f8fb3268a4672075

SHA1
21401407916078b446b7fa3d4356b759e847abb6

SHA256
aed2122e1e206089e01d726eb48327b4572c4d026883130e7e915a1cffb034cc

SHA512
93c050c575d59a8dbdc3f4e9699d80dee36c4a28afb4e50a33c3cd90cf13b5a5684c9e34d83757c2f52351522a4fb539b408f18d3557355d40f254b8dde1689b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVP19\vegas190.msi

Filesize
3.2MB

MD5
9edd67a98c8551561d8aa6332230390c

SHA1
266f20fbdd8c73c7c96c6a475a3a3f8a3c5054fe

SHA256
039b83902e328c7a6ec9c47fcffeba591cee9cb80e027c502334db26b34762b4

SHA512
e18c83636eedaa8f68278b11f2fc20c1e074c174fa6a62202f4db781ee949338ef300b8ee32322d047d3ba0567410d3acf98918ea41bded07a315515e22d313b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8C.tmp\LangDLL.dll

Filesize
5KB

MD5
109b201717ab5ef9b5628a9f3efef36f

SHA1
98db1f0cc5f110438a02015b722778af84d50ea7

SHA256
20e642707ef82852bcf153254cb94b629b93ee89a8e8a03f838eef6cbb493319

SHA512
174e241863294c12d0705c9d2de92f177eb8f3d91125b183d8d4899c89b9a202a4c7a81e0a541029a4e52513eee98029196a4c3b8663b479e69116347e5de5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8C.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8C.tmp\nsDialogs.dll

Filesize
9KB

MD5
ec9640b70e07141febbe2cd4cc42510f

SHA1
64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

SHA256
c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

SHA512
47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8C.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8C.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\VEGAS Pro\19.0\FFCache_x64_1033.ini

Filesize
2KB

MD5
716b1d179b918683504d7082a47b4544

SHA1
8baeece54522f0b0ba9b4889f374c1c42495899f

SHA256
412cae6eba9a0ac9babedd9e0fe3a51363ea235f54f748d258773568f4e1d5c5

SHA512
9849dd20b8aa97d746e81d2073ef84e927492537e2179765faeb58d36cf5a171e3fdb14bf25acb69c0bf98fd0fea27210be6e8a890357272d4d83674f5ef35df

Download Submit
C:\Users\Admin\AppData\Local\VEGAS Pro\19.0\svfx_plugin_cache.bin

Filesize
34KB

MD5
23216946ae74bcf7187514748bdb046f

SHA1
f25b9559a3c439162f492a0fe27442238524ac92

SHA256
a6f5f5c5258a4c707dfa3c17e6e090b2762e8488404126f6cfb16bf8bafb12ce

SHA512
949de661118e78a87b17297a52f2021e0801753cbe11bf3bd6654360a3fc54278323f0b1ccbd262b95be4fed1285bc4996348411485caa0d842e2106a9e9fc88

Download Submit
C:\Windows\Installer\MSI9512.tmp

Filesize
1.7MB

MD5
beac8693a2cc003c2609b2b69579d82f

SHA1
6e81ae73fc05a372e282794d9b47a0f98b18894a

SHA256
e1c19ffc7d4c2521c385ed22955152b49d78cd19bbeccee36b3886a2262c5b14

SHA512
9f66748a506ea4bd2ad3d72a924f5471d0c9b039cfffc9c38e5c52b7741cbb7661047259bf984984a4c6e2bb6460469f1c83d555f07db7d347bb3fcd6a0a591e

Download Submit
C:\Windows\Installer\MSIEA4C.tmp

Filesize
123KB

MD5
5cb7ec6843aa69694096d98e467bc5e7

SHA1
ade3a650ccfff23264c3e95819126c4be6eb57cb

SHA256
c03b47bcbe6c28cfa612950814ca383dddd0d4a527cc17f1750b8385d4917aad

SHA512
540e905256195ab904d1313b72811ca73f9dcbdb419c28cbbb83232e9fee966c3d80ca322f3701a0468e9bb545e4ca08e1106ae6254f59e100e703c139e40ce9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log

Filesize
45KB

MD5
ab6bf80bdd8b7295bb9d5191ccc05cb9

SHA1
40872f33cb2262e29c99df36cbc909753c388509

SHA256
076cec44c3707766287e052a137677de6ffa960b61daa4394ee7adcd7fa40b64

SHA512
e1d1029f2466fe8e0693cab79fb87e438bcc35af5ebc055378e33ffac65d3afea23a540002e704bddf024ba6cde02cef8ed7399d728d2c3e5a3f43b1269c6c26

Download Submit
memory/636-6238-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/732-6145-0x0000021D67ED0000-0x0000021D67EE6000-memory.dmp

Filesize
88KB

Download
memory/1180-6283-0x0000000010030000-0x0000000010083000-memory.dmp

Filesize
332KB

Download
memory/1224-6345-0x0000000006C60000-0x0000000006C81000-memory.dmp

Filesize
132KB

Download
memory/1708-6453-0x0000000007720000-0x0000000007741000-memory.dmp

Filesize
132KB

Download
memory/2072-6269-0x0000000011000000-0x0000000011025000-memory.dmp

Filesize
148KB

Download
memory/2072-6268-0x0000000006D40000-0x0000000007094000-memory.dmp

Filesize
3.3MB

Download
memory/2552-6251-0x0000000030000000-0x0000000030006000-memory.dmp

Filesize
24KB

Download
memory/2640-7963-0x0000000073A50000-0x0000000073A89000-memory.dmp

Filesize
228KB

Download
memory/3328-7855-0x0000000010350000-0x0000000010372000-memory.dmp

Filesize
136KB

Download
memory/3328-7852-0x000000000FCB0000-0x000000000FCC8000-memory.dmp

Filesize
96KB

Download
memory/3328-7853-0x00000000103C0000-0x0000000010422000-memory.dmp

Filesize
392KB

Download
memory/3328-7848-0x000000000FB10000-0x000000000FB60000-memory.dmp

Filesize
320KB

Download
memory/3328-7851-0x000000000FAE0000-0x000000000FAFE000-memory.dmp

Filesize
120KB

Download
memory/3328-7850-0x000000000FB60000-0x000000000FB82000-memory.dmp

Filesize
136KB

Download
memory/3328-7854-0x00000000106E0000-0x0000000010866000-memory.dmp

Filesize
1.5MB

Download
memory/3328-7849-0x0000000010490000-0x0000000010542000-memory.dmp

Filesize
712KB

Download
memory/3328-7847-0x00000000102C0000-0x0000000010344000-memory.dmp

Filesize
528KB

Download
memory/3412-6452-0x0000000007B10000-0x0000000007B8D000-memory.dmp

Filesize
500KB

Download
memory/3744-6299-0x00000000068F0000-0x000000000693C000-memory.dmp

Filesize
304KB

Download
memory/5196-6223-0x00000000070E0000-0x0000000007112000-memory.dmp

Filesize
200KB

Download
memory/5196-6233-0x0000000007430000-0x000000000744A000-memory.dmp

Filesize
104KB

Download
memory/5196-6199-0x0000000005D80000-0x0000000005D88000-memory.dmp

Filesize
32KB

Download
memory/5196-6198-0x0000000005EB0000-0x0000000005EF8000-memory.dmp

Filesize
288KB

Download
memory/5196-6206-0x0000000006960000-0x0000000006CB4000-memory.dmp

Filesize
3.3MB

Download
memory/5196-6208-0x0000000006040000-0x0000000006048000-memory.dmp

Filesize
32KB

Download
memory/5196-6209-0x0000000006CC0000-0x0000000006D0C000-memory.dmp

Filesize
304KB

Download
memory/5196-6210-0x0000000006D40000-0x0000000006D62000-memory.dmp

Filesize
136KB

Download
memory/5196-6211-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/5196-6213-0x0000000006E40000-0x0000000006E90000-memory.dmp

Filesize
320KB

Download
memory/5196-6214-0x0000000006F50000-0x0000000007002000-memory.dmp

Filesize
712KB

Download
memory/5196-6215-0x0000000007010000-0x0000000007076000-memory.dmp

Filesize
408KB

Download
memory/5196-6212-0x0000000006DB0000-0x0000000006DEC000-memory.dmp

Filesize
240KB

Download
memory/5196-6216-0x00000000075B0000-0x0000000007ADC000-memory.dmp

Filesize
5.2MB

Download
memory/5196-6217-0x0000000006E90000-0x0000000006EB2000-memory.dmp

Filesize
136KB

Download
memory/5196-6218-0x0000000007120000-0x00000000071B2000-memory.dmp

Filesize
584KB

Download
memory/5196-6219-0x0000000006EC0000-0x0000000006EDC000-memory.dmp

Filesize
112KB

Download
memory/5196-6220-0x0000000007FB0000-0x000000000847C000-memory.dmp

Filesize
4.8MB

Download
memory/5196-6221-0x0000000006F30000-0x0000000006F42000-memory.dmp

Filesize
72KB

Download
memory/5196-6222-0x0000000007080000-0x00000000070A0000-memory.dmp

Filesize
128KB

Download
memory/5196-6224-0x00000000071C0000-0x00000000071E2000-memory.dmp

Filesize
136KB

Download
memory/5196-6205-0x0000000005F10000-0x0000000005F1A000-memory.dmp

Filesize
40KB

Download
memory/5196-6225-0x00000000072C0000-0x000000000738E000-memory.dmp

Filesize
824KB

Download
memory/5196-6227-0x00000000071F0000-0x000000000720A000-memory.dmp

Filesize
104KB

Download
memory/5196-6226-0x0000000007240000-0x0000000007284000-memory.dmp

Filesize
272KB

Download
memory/5196-6228-0x0000000007AE0000-0x0000000007C02000-memory.dmp

Filesize
1.1MB

Download
memory/5196-6229-0x0000000007390000-0x000000000740D000-memory.dmp

Filesize
500KB

Download
memory/5196-6231-0x0000000007290000-0x00000000072B0000-memory.dmp

Filesize
128KB

Download
memory/5196-6230-0x0000000007210000-0x000000000721A000-memory.dmp

Filesize
40KB

Download
memory/5196-6204-0x0000000006160000-0x00000000061DA000-memory.dmp

Filesize
488KB

Download
memory/5196-6232-0x0000000007C10000-0x0000000007D96000-memory.dmp

Filesize
1.5MB

Download
memory/5196-6235-0x0000000007450000-0x0000000007462000-memory.dmp

Filesize
72KB

Download
memory/5196-6234-0x0000000007490000-0x00000000074CC000-memory.dmp

Filesize
240KB

Download
memory/5196-6203-0x0000000006070000-0x00000000060DC000-memory.dmp

Filesize
432KB

Download
memory/5196-6202-0x0000000005FB0000-0x0000000005FFF000-memory.dmp

Filesize
316KB

Download
memory/5196-6200-0x0000000005F20000-0x0000000005F32000-memory.dmp

Filesize
72KB

Download
memory/5196-6201-0x0000000005F40000-0x0000000005F5C000-memory.dmp

Filesize
112KB

Download
memory/5196-6197-0x00000000063B0000-0x0000000006954000-memory.dmp

Filesize
5.6MB

Download
memory/5196-6195-0x0000000005DA0000-0x0000000005DF6000-memory.dmp

Filesize
344KB

Download
memory/5196-6196-0x0000000005D50000-0x0000000005D60000-memory.dmp

Filesize
64KB

Download
memory/5196-6194-0x0000000005D10000-0x0000000005D35000-memory.dmp

Filesize
148KB

Download
memory/5196-6193-0x0000000005D00000-0x0000000005D08000-memory.dmp

Filesize
32KB

Download
memory/5196-6192-0x0000000005CF0000-0x0000000005CF8000-memory.dmp

Filesize
32KB

Download
memory/5516-6172-0x00007FF67DCE0000-0x00007FF680B6C000-memory.dmp

Filesize
46.5MB

Download
memory/5616-6166-0x000002238E350000-0x000002238E351000-memory.dmp

Filesize
4KB

Download
memory/5744-6161-0x00000245D5FC0000-0x00000245D5FD6000-memory.dmp

Filesize
88KB

Download
memory/5796-6159-0x000002712A8F0000-0x000002712A906000-memory.dmp

Filesize
88KB

Download
memory/5808-6529-0x0000000003250000-0x00000000032CD000-memory.dmp

Filesize
500KB

Download
memory/5852-6153-0x000001FA4D3E0000-0x000001FA4D3F6000-memory.dmp

Filesize
88KB

Download
memory/5888-6155-0x00000275B47C0000-0x00000275B47D6000-memory.dmp

Filesize
88KB

Download
memory/5916-6157-0x00000215FA400000-0x00000215FA416000-memory.dmp

Filesize
88KB

Download
memory/5920-6149-0x00000297AFD10000-0x00000297AFD26000-memory.dmp

Filesize
88KB

Download
memory/5952-6151-0x00000266D1910000-0x00000266D1926000-memory.dmp

Filesize
88KB

Download
memory/5968-6147-0x0000018BC2620000-0x0000018BC2636000-memory.dmp

Filesize
88KB

Download
memory/5984-6315-0x0000000064D10000-0x0000000064DE8000-memory.dmp

Filesize
864KB

Download
memory/5988-6920-0x0000000074290000-0x0000000074292000-memory.dmp

Filesize
8KB

Download
memory/6008-6143-0x000001DA0CA10000-0x000001DA0CA26000-memory.dmp

Filesize
88KB

Download
memory/6048-6141-0x000001AF99830000-0x000001AF99846000-memory.dmp

Filesize
88KB

Download
memory/6104-6300-0x00000000628D0000-0x0000000062B5E000-memory.dmp

Filesize
2.6MB

Download