banload | b0dea552b8e60015ae41b062602655ebca0b310b677c3428126363b0e0a08476

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31/03/2025, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Size

46.2MB
MD5

5ad23c8209fd17a66c6e37436f257a91
SHA1

47afe2053859cf1ebe0f45fa75d0ce77945f89da
SHA256

b0dea552b8e60015ae41b062602655ebca0b310b677c3428126363b0e0a08476
SHA512

cd4dad7b8a37c9e141b4e86cc3b861f5a6250f0c716326b9fe295bc36ce3bf2b42fd9630e47677eac333e02d0358b175007fd0bfd4636836ec4871bec626d3c4
SSDEEP

786432:GVmrjV7eIAtBXcnm0+Hm+vwZW9a3kTxI2Un/Elw4+rTEl4ElUyemgEmtV8r8G:GVmrjV7eIjnP+TYZQaB3Ex+HEpUxkrn

Score

10^/10

banload defense_evasion discovery downloader dropper execution persistence privilege_escalation trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
2368	MSIA54A.tmp
2092	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
1296	MSIB205.tmp
2328	register64.exe
1736	ezcd.exe

Loads dropped DLL 64 IoCs

pid	Process
2868	MsiExec.exe
1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
2936	MsiExec.exe
2936	MsiExec.exe
2936	MsiExec.exe
2936	MsiExec.exe
2936	MsiExec.exe
2944	MsiExec.exe
2944	MsiExec.exe
2248	MsiExec.exe
2248	MsiExec.exe
2248	MsiExec.exe
2248	MsiExec.exe
1208	MsiExec.exe
1208	MsiExec.exe
2092	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
2348	msiexec.exe
2092	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
2092	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
2092	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
2328	register64.exe
2092	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
2092	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
2092	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe
1736	ezcd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\M:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\N:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\L:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	ezcd.exe
File opened (read-only)	\??\G:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\Q:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\B:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\Z:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\Y:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\V:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\D:	ezcd.exe
File opened (read-only)	\??\O:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\EZ CD Audio Converter\decm_vorbis.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\met_dsf.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_xheaacf.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-localization-l1-2-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\bulgarian.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\ezcd.exe	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\dec_dff.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_eac3.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\xml.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\dutch.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\uninstall.exe	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\met_wavpack.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\enc_au.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-heap-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_wavacm.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\svenska.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\dec_vorbis.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\swresample-5.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\dec_ffmpeg.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\enc_aac.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-crt-convert-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Assets\storelogo.scale-200.png	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_aiff.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_thdmka.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-timezone-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\dec_tta.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\korean.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_au.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\enc_raw.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\chinese simplified.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\italiano.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\portugues (brasileiro).uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\decm_flac.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_am4b.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Assets\Square44x44Logo.targetsize-256.png	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\francais.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\dec_opus.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\decm_aiff.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\enc_alac.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\met_wma.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\enc_dsf.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\msvcp140_2.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-sysinfo-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Assets\Square44x44Logo.scale-100.png	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\dec_wma.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\enc_wma.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\met_opus.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_ac3.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\enc_eac3mka.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\macedonian.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\russian.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\turkish.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_aaac.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-memory-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\ezcdshell.appx	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\resources.scale-125.pri	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Assets\Square44x44Logo.targetsize-16.png	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\slovak.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\met_mpc.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\decm_tta.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\arabic.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\dec_dsf.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\dec_w64.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Assets\Square44x44Logo.scale-125.png	ez_cd_audio_converter_setup_x64-12.0.1.1.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76a021.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB129.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a01f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA15F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4DB.tmp	msiexec.exe
File created	C:\Windows\Installer\f76a01f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE28.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB205.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA82A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a016.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0B2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA21B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA289.tmp	msiexec.exe
File created	C:\Windows\Installer\f76a019.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE48.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA54A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA675.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a019.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a01c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB38.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD5C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF44.tmp	msiexec.exe
File created	C:\Windows\Installer\f76a016.msi	msiexec.exe
File created	C:\Windows\Installer\f76a01b.msi	msiexec.exe
File created	C:\Windows\Installer\f76a01c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACDF.tmp	msiexec.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2368	MSIA54A.tmp
1296	MSIB205.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1736	powershell.exe
1508	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIA54A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EzCd.EzCd.1\CLSID	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay\shell\AudioCD\ = "Rip audio CD"	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\931A48B9DD80DBF4AAF66144935235A5\ED7B6546A6BA88D4A9A41AF2AF967480	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EzCd.EzCd\ = "EzCd Class"	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\InprocServer32	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}\1.0\HELPDIR	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}\TypeLib	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\SourceList\PackageName = "setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}\1.0	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}\1.0\0\win64	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}\1.0\0\win64\ = "C:\\Program Files\\EZ CD Audio Converter\\ezcd64.dll"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\VersionIndependentProgID\ = "EzCd.EzCd"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}\ = "IEzCd"	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}\ProxyStubClsid32	register64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\PackageName = "Setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\TypeLib	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}\TypeLib\ = "{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}"	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay\shell\AudioCD	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay\shell\EmptyCD\ = "Burn disc"	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\VersionIndependentProgID	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EzCd\ = "{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}"	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay\shell\EmptyCD\command	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EzCd	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}\1.0\FLAGS	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	register64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EzCd\ = "{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}\TypeLib\Version = "1.0"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}\ = "IEzCd"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EzCd.EzCd\CLSID\ = "{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\EZ CD Audio Converter\\EZ CD Audio Converter 12.0.1.1\\install\\E7D27BC\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\931A48B9DD80DBF4AAF66144935235A5	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EzCd.EzCd.1\ = "EzCd Class"	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}\1.0\FLAGS\ = "0"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EzCd.EzCd	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EzCd.EzCd\CurVer	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\ProgID	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay\DefaultIcon	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\Version = "201326593"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EB55958-633B-B502-6AF3-56089298885B}\ = "CompositeMoniker"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EzCd.EzCd\CLSID	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\ProgID\ = "EzCd.EzCd.1"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}\1.0\ = "EzCd Type Library"	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\TypeLib\ = "{E46D6DC6-9707-43a9-BDBB-0BDBDD096F91}"	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EzCd	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7DA6A3856C6D3134F9A61104EBD772CB\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\AuthorizedLUAApp = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2348	msiexec.exe
2348	msiexec.exe
2348	msiexec.exe
2348	msiexec.exe
1508	powershell.exe
1736	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeSecurityPrivilege	2348	msiexec.exe
Token: SeCreateTokenPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLockMemoryPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeIncreaseQuotaPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeMachineAccountPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeTcbPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSecurityPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeTakeOwnershipPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLoadDriverPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemProfilePrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemtimePrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeProfSingleProcessPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeIncBasePriorityPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreatePagefilePrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreatePermanentPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeBackupPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeRestorePrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeShutdownPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeDebugPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAuditPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemEnvironmentPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeChangeNotifyPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeRemoteShutdownPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeUndockPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSyncAgentPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeEnableDelegationPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeManageVolumePrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeImpersonatePrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreateGlobalPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreateTokenPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLockMemoryPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeIncreaseQuotaPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeMachineAccountPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeTcbPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSecurityPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeTakeOwnershipPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLoadDriverPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemProfilePrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemtimePrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeProfSingleProcessPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeIncBasePriorityPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreatePagefilePrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreatePermanentPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeBackupPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeRestorePrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeShutdownPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeDebugPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAuditPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemEnvironmentPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeChangeNotifyPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeRemoteShutdownPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeUndockPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSyncAgentPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeEnableDelegationPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeManageVolumePrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeImpersonatePrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreateGlobalPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreateTokenPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLockMemoryPrivilege	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
2728	msiexec.exe
1880	msiexec.exe
1880	msiexec.exe
2728	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1736	ezcd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2868	2348	msiexec.exe	31
PID 2348 wrote to memory of 2868	2348	msiexec.exe	31
PID 2348 wrote to memory of 2868	2348	msiexec.exe	31
PID 2348 wrote to memory of 2868	2348	msiexec.exe	31
PID 2348 wrote to memory of 2868	2348	msiexec.exe	31
PID 2348 wrote to memory of 2868	2348	msiexec.exe	31
PID 2348 wrote to memory of 2868	2348	msiexec.exe	31
PID 1884 wrote to memory of 2728	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 1884 wrote to memory of 2728	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 1884 wrote to memory of 2728	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 1884 wrote to memory of 2728	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 1884 wrote to memory of 2728	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 1884 wrote to memory of 2728	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 1884 wrote to memory of 2728	1884	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 2348 wrote to memory of 2936	2348	msiexec.exe	33
PID 2348 wrote to memory of 2936	2348	msiexec.exe	33
PID 2348 wrote to memory of 2936	2348	msiexec.exe	33
PID 2348 wrote to memory of 2936	2348	msiexec.exe	33
PID 2348 wrote to memory of 2936	2348	msiexec.exe	33
PID 2348 wrote to memory of 2936	2348	msiexec.exe	33
PID 2348 wrote to memory of 2936	2348	msiexec.exe	33
PID 2348 wrote to memory of 2368	2348	msiexec.exe	34
PID 2348 wrote to memory of 2368	2348	msiexec.exe	34
PID 2348 wrote to memory of 2368	2348	msiexec.exe	34
PID 2348 wrote to memory of 2368	2348	msiexec.exe	34
PID 2348 wrote to memory of 2368	2348	msiexec.exe	34
PID 2348 wrote to memory of 2368	2348	msiexec.exe	34
PID 2348 wrote to memory of 2368	2348	msiexec.exe	34
PID 2368 wrote to memory of 1880	2368	MSIA54A.tmp	35
PID 2368 wrote to memory of 1880	2368	MSIA54A.tmp	35
PID 2368 wrote to memory of 1880	2368	MSIA54A.tmp	35
PID 2368 wrote to memory of 1880	2368	MSIA54A.tmp	35
PID 2368 wrote to memory of 1880	2368	MSIA54A.tmp	35
PID 2368 wrote to memory of 1880	2368	MSIA54A.tmp	35
PID 2368 wrote to memory of 1880	2368	MSIA54A.tmp	35
PID 2348 wrote to memory of 2944	2348	msiexec.exe	36
PID 2348 wrote to memory of 2944	2348	msiexec.exe	36
PID 2348 wrote to memory of 2944	2348	msiexec.exe	36
PID 2348 wrote to memory of 2944	2348	msiexec.exe	36
PID 2348 wrote to memory of 2944	2348	msiexec.exe	36
PID 2348 wrote to memory of 2944	2348	msiexec.exe	36
PID 2348 wrote to memory of 2944	2348	msiexec.exe	36
PID 2348 wrote to memory of 2248	2348	msiexec.exe	37
PID 2348 wrote to memory of 2248	2348	msiexec.exe	37
PID 2348 wrote to memory of 2248	2348	msiexec.exe	37
PID 2348 wrote to memory of 2248	2348	msiexec.exe	37
PID 2348 wrote to memory of 2248	2348	msiexec.exe	37
PID 2348 wrote to memory of 2248	2348	msiexec.exe	37
PID 2348 wrote to memory of 2248	2348	msiexec.exe	37
PID 2348 wrote to memory of 1208	2348	msiexec.exe	38
PID 2348 wrote to memory of 1208	2348	msiexec.exe	38
PID 2348 wrote to memory of 1208	2348	msiexec.exe	38
PID 2348 wrote to memory of 1208	2348	msiexec.exe	38
PID 2348 wrote to memory of 1208	2348	msiexec.exe	38
PID 2348 wrote to memory of 1208	2348	msiexec.exe	38
PID 2348 wrote to memory of 1208	2348	msiexec.exe	38
PID 2348 wrote to memory of 2092	2348	msiexec.exe	39
PID 2348 wrote to memory of 2092	2348	msiexec.exe	39
PID 2348 wrote to memory of 2092	2348	msiexec.exe	39
PID 2348 wrote to memory of 2092	2348	msiexec.exe	39
PID 2348 wrote to memory of 2092	2348	msiexec.exe	39
PID 2348 wrote to memory of 2092	2348	msiexec.exe	39
PID 2348 wrote to memory of 2092	2348	msiexec.exe	39
PID 2348 wrote to memory of 1296	2348	msiexec.exe	40

C:\Users\Admin\AppData\Local\Temp\2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\EZ CD Audio Converter\EZ CD Audio Converter 12.0.1.1\install\E7D27BC\Setup.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1743123581 "
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:2728

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C78E1871B132A0DD1234059527F475EB C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3124B627F3D0F5D02974275C2A96C015
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2936
- C:\Windows\Installer\MSIA54A.tmp
  "C:\Windows\Installer\MSIA54A.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Temp\setup.msi"
  2⤵
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1880
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A703AD5F7DA4852EE9228C7AF0FC1C68 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2944
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB3CDEE953B70E174F4FDB0FB6D41742
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2248
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B8FC59DF1E0300A5C29FAD51CEABD96B M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1208
- C:\Users\Admin\AppData\Local\Temp\ez_cd_audio_converter_setup_x64-12.0.1.1.exe
  "C:\Users\Admin\AppData\Local\Temp\ez_cd_audio_converter_setup_x64-12.0.1.1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2092
- - C:\Program Files\EZ CD Audio Converter\register64.exe
    "C:\Program Files\EZ CD Audio Converter\register64.exe" register
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:2328
- - C:\Program Files\EZ CD Audio Converter\ezcd.exe
    "C:\Program Files\EZ CD Audio Converter\ezcd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1736
- C:\Windows\Installer\MSIB205.tmp
  "C:\Windows\Installer\MSIB205.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Temp\cmd.bat"
  2⤵
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  PID:1296
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
    3⤵
    PID:1464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "tar -xf N.jpg -C $env:public"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Move-Item -Path 'N.jpg' -Destination $env:public"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76a01a.rbs

Filesize
1.9MB

MD5
92e27199c485c95d88dd250d34693f9d

SHA1
271def85d83677e1cb812117214ef858dc3aea1e

SHA256
8afd04434ab199cc6977f063a93a9b3c8c61b15d329ee81d079ab8f6c28c012e

SHA512
ffd0e933819dd10eddb6d3e50234b4ec75bfc75b4b9d6e61544ccc1f938e7945693a5acd78f2bef89d241f04aca662c36835966fe4743042f8c0a53ab5073bbc

Download Submit
C:\Config.Msi\f76a020.rbs

Filesize
1.9MB

MD5
bc0cf85d4101fb084f281c851125350e

SHA1
4b8ce3531f7e792cd9ea8bb85e9e909cc395c4fc

SHA256
3577236dbf719ea34019a585723d758f383c0b37d26dddd72214814734469c18

SHA512
b1fb89ddba0db5c4e0bb6d74a12a58b8ea4cca6b9e10c2d5e062ac6e02e028e1214ad043a85e0506ec46c6c952bcec2e8d20b92c247eb40dbd6171c6007a515e

Download Submit
C:\Program Files\EZ CD Audio Converter\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
75c8a3c1dfe2096f1a2c6ba51de7196f

SHA1
eb17720383791d75ccc2ed729900c1e8e8165504

SHA256
3d95961590fe6da5c569bcb0a54651488e70dd7b15c257e1b9faf8a3cc0e63e4

SHA512
8c6af5c49a321d60b14032780bf6d93a51ed7fe97940e06dfb251d295f51f2788cd7931a848cea94607d81acb9bb225086dd879159e67cda0c355173e69543ea

Download Submit
C:\Program Files\EZ CD Audio Converter\ezcd64.dll

Filesize
692KB

MD5
af4b35101d3f77fae67f9a0fdcc62559

SHA1
3b94904a6565bf46e47baecb5e1ee5d1701a19a6

SHA256
cd1728e4cb3eff23d5d9c85c36037f84370dbc7625fae7fad5e49887ea392455

SHA512
3c18e16556b0a922f8cc0aa22206cf053d3ca54acdb6de980f2073fb26097a6db951f24d1c22d8a03c4b9d3344030be921913e77cb8c69b9cbe7399f798b9c15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\EZ CD Audio Converter\converter_normal.txt

Filesize
682B

MD5
5fe1e6f8fb8ac21f63049cf39089f53a

SHA1
3176505294c2b2022fbcd227a2493b2a20fb2533

SHA256
b4e717f9ef7af9ba991f9c36b56cb9b4f51fe3b8f29b738496f3af4dcb48d47e

SHA512
a9668866637c6f5e22ea0bcaf2fa56d81beb78540b419ef8ce41118d0cf7cbf766f38b8c0d6ab72839f2874075aa1e8526a815d95d9f05e4a2a59d00e9640ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9E71.tmp

Filesize
997KB

MD5
ee09d6a1bb908b42c05fd0beeb67dfd2

SHA1
1eb7c1304b7bca649c2a5902b18a1ea57ceaa532

SHA256
7bbf611f5e2a16439dc8cd11936f6364f6d5cc0044545c92775da5646afc7752

SHA512
2dd2e4e66d2f2277f031c5f3c829a31c3b29196ab27262c6a8f1896a2113a1be1687c9e8cd9667b89157f099dfb969ef14ae3ea602d4c772e960bc41d39c3d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.jpg

Filesize
748KB

MD5
77a525a2fe92d8e23c5c998fc4a1c69a

SHA1
fd1c8824ff28ce087922b791925436a4fbca1389

SHA256
96428e36617977b9289b8ae83bdf0542557d82b7eb051ef8778ef6e26aeca228

SHA512
a1b663152f3c8c3c984ab562b038e54fe4d8486b605d8a6684c2f0b595d00087584267dd82e769893e64b69287094dd7ad5b682b1fd7a4f846938f80309dffb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C82.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
379B

MD5
792e9112b9726f770a5ca41fb70e06ee

SHA1
1cd73dc1f39cd5d95ccf6ce17e77f4a113d57540

SHA256
da8efe220f30659356c0cbd12b455d7f531259b55986e36702e617ae04adf412

SHA512
11b9b89a1239b1af1a0952fba7d8b0f8953adf3bec4c38534c70a1d21d67579a29cfa6bd00fce3152deaffeeac326e465052b33adaa676c98c3b87ce5f6d696d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ez_cd_audio_converter_setup_x64-12.0.1.1.exe

Filesize
39.4MB

MD5
bb90a50012560b0d8e68e86201dec567

SHA1
84f0d7ecdfebc2d0fd7ca3ec096a4662d8464570

SHA256
36ba743905a360037896c52d27af3c5e127683ab2c69a37eca718de121761f2d

SHA512
1c5ea48cb81d6ed9b785ab58677685c9716a179bacbc09fa2d16e71769a9ad498572f4e7629b89f28072a282625b0893f6ff7250a8ea0ab6317a7d2d1628d9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB211.tmp\modern-wizard.bmp

Filesize
150KB

MD5
5dc251b994c2499628eaca24b0ec587f

SHA1
6904b12c39e4765414a4502ca59bd6405e39b364

SHA256
22727d9d1e3e0fe0df182c23b15d6a126ed19c2d1781af8d56e43f87e6506ac1

SHA512
ffba72a87ba1462e62fbaa19015a1a443423ff807483f5e2dafeeae9be3e40505769bda5a1b88eedc8e67b92900961e0d30f9e714e5a96a9b2f1d4a3f6150ad1

Download Submit
C:\Users\Admin\AppData\Roaming\EZ CD Audio Converter\EZ CD Audio Converter 12.0.1.1\install\E7D27BC\Setup.msi

Filesize
3.7MB

MD5
351a6f10aeed68dd1131b2a99545793a

SHA1
8cdfa38ff8e774bc196130a64cbdaa6369c7f385

SHA256
a9fe53323e9c89bb836d8adcb2d1c36d4d1f84373f4277ee14b8df3aa3272e65

SHA512
5417ebf76f311a43d32c82e9662e7b790cc149afd25cd35af75dfbe477099e701b5fa194428a47a001b9c64dae0d4dff779ede6b1b894f9264e4d743437b99bf

Download Submit
C:\Users\Admin\AppData\Roaming\EZ CD Audio Converter\EZ CD Audio Converter 12.0.1.1\install\E7D27BC\TempFolder\setup.msi

Filesize
2.9MB

MD5
a18598ac9402f45ba22cea4f7bdd4782

SHA1
76db003cee073a307a28b8dc2a901d587d014377

SHA256
696736cd779c3e16f75faffffcace334e9b71399b0650cb745d72acf4acfe224

SHA512
7c384fd092162e90005243df9b3497f879f54e91a0e614ffc1ac2b11e119d0cadc7e5a4e3f4d84ab77640f0e8d5a1a326e1eaf5ea4fbc4ac75616d3b84009e8e

Download Submit
C:\Users\Admin\AppData\Roaming\EZ CD Audio Converter\EZ CD Audio Converter 12.0.1.1\install\E7D27BC\TempFolder\setup1.cab

Filesize
39.8MB

MD5
627b5e0d1a432aa6e66ce5dd5af8baa6

SHA1
fafdb61d971f2741eac3a7bbefb754db64bf0c70

SHA256
51d580e3f429a018591ea0df27f13e87efdd0692070ea9104fd1210750ba85e6

SHA512
5aba06618e0ff8cc8544aa1c0fc5b1cd7bee17442e841e82c4e047d6a21c34e1a8a4b6b08f386019e689eecc7e17201b57caa52e5da6a0a501b1bfc6f645a6b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
62231dacd285e398c7c0ed810e1c566c

SHA1
c576069341b0b2bf1b65f67811d38171f968a0d7

SHA256
6dad4946405fe4fa85458894803dd162660d7631de11b8db7c0aa94072d5c214

SHA512
56ced497d961b9b48946f00b92b9c2fd9a5305bd779ba9dbc4c0252a1b52b301c59a6c42fee55ba138d7ea49b6e8e7636388554a6f1489f295e6339fc5dc1ee9

Download Submit
C:\Windows\Installer\MSIA4EC.tmp

Filesize
967KB

MD5
bf6adc8f7e5afea02b8514b3f93dc30b

SHA1
1eea8393c3481d2be5b68af98efe70493dea1b1f

SHA256
5011c2403744c70efa01ce5341a8da118667268d74a0f046a5f7e93290b69529

SHA512
b1bb78aabd5a16c8f88c70e16fae90a15dd426dd014291e82952416c3f6a60413c642c1d46e586079f0a3904f88d53f37195acb2e001c0586f61baf675ffda72

Download Submit
C:\Windows\Installer\MSIA54A.tmp

Filesize
411KB

MD5
daefcc204211c3d179eacc0c6ee4bcc6

SHA1
3bfc444a87d30dcc77730ad5bdb65b9593b50925

SHA256
d74b55c93e4991ac882af31978a186a797ac9cde0c93747094e0422106b8d100

SHA512
6aa70b0a48868b3de1dd0a96835db024ae325ae3fc5725567d54369b91c20972c1c3b7c8620f2189784010cf44bb6577a75702ef20f71f4eaf75deaf149492d1

Download Submit
\Program Files\EZ CD Audio Converter\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
c9103f6861fa14345cfb763189292cb4

SHA1
f3959ba76d98add1f7e502f01aa470efe7df24ee

SHA256
e4a6bd5d65d39da4424ab7828959cfeb7c362e29008bc63ecf16fb3b20001807

SHA512
e14c23a8a1913b10598ee57381ba9d51880b1615c995a54d7dfb65af6bf22c4d2740225fe20ddfc0309d2dd043db2505b063644588608b4b7b32382082b2ab43

Download Submit
\Program Files\EZ CD Audio Converter\ezcd.exe

Filesize
8.6MB

MD5
40665f02ec466d58f39307b3b7582a00

SHA1
82f81ee2f5805d0dcc6ea107d81bbfcd5019ee79

SHA256
64ea1b5673152de5ea87dfc68c0461321c3f3d1a1d9d45f1f35dff14df65295a

SHA512
cd87108535f4cd34bd4ec2dfd05e10e5e1dc5cbfd130cc9834cfc1ba1a45c2db1a4171c6009987dcff365a1c4c07952841f6ac2788e4c5875bcd2b7a33d52b80

Download Submit
\Program Files\EZ CD Audio Converter\register64.exe

Filesize
148KB

MD5
5872f17645e7ae8436d7607bbbf16cd2

SHA1
767b605431383444afc4d3ca714cc1a9e57f75ff

SHA256
d536a588a513c62145a7f4c1541ae64ddb8495049ceeb4204575266181c91e0d

SHA512
dffb23a467d4eeb19bc4fa3d89337b490bc33522d8d4b74dd82919103d7b44d1912bd11008368649321b12278b50cc9f036d9a195d792774610c93b037440326

Download Submit
\Program Files\EZ CD Audio Converter\ucrtbase.dll

Filesize
1.1MB

MD5
6a44a2235d33b3f154fc50dc72e8ea61

SHA1
e98127a010bc6555e50e2ce7eba6ead8d8e13bf3

SHA256
91d027417ff2301b7135e864a5df6693488f8412ff87040f4897e0e03bc2577b

SHA512
057595ef00dc41aab49d654dc1b8dfdfaad58a3e2cf764db71090413b04e07c618d4592b390d170a4fbbc02f04c68f11b382258e3bf13a1791c6bfc97df7687b

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB211.tmp\LangDLL.dll

Filesize
5KB

MD5
08de81a4584f5201086f57a7a93ed83b

SHA1
266a6ecc8fb7dca115e6915cd75e2595816841a8

SHA256
4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

SHA512
b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB211.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB211.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca5bb0ee2b698869c41c087c9854487c

SHA1
4a8abbb2544f1a9555e57a142a147dfeb40c4ca4

SHA256
c719697d5ced17d97bbc48662327339ccec7e03f6552aa1d5c248f6fa5f16324

SHA512
363a80843d7601ba119bc981c4346188f490b388e3ed390a0667aaf5138b885eec6c69d4e7f60f93b069d6550277f4c926bd0f37bc893928111dc62494124770

Download Submit
\Users\Admin\AppData\Local\Temp\pre9F1E.tmp

Filesize
886KB

MD5
1d51848e7512c27af22cdf0213e11cf5

SHA1
d35ab52e49c82bb72f0ad7c7568035e8a41564e4

SHA256
0b73497f2ad7a4a04f36b8d46816c5404ba828d7feeca90b3abe28599e9c4619

SHA512
b6513f1ab6af820fd139ba5fe5399268077c328b8dbd19471db203f94f6aec2702baaec37209b4056531cab56d54b09f6d446f0f398befa1cc9cd4f77e65e079

Download Submit
\Windows\Installer\MSIB205.tmp

Filesize
532KB

MD5
74a4833cf5cd5396535b5f236569e0f2

SHA1
c1f97472ed374066dd1dac8b5b7c587c283b1ad2

SHA256
831375810426bd21735509c377b28e5553e3b59026c48f579b1143ec70b40fd1

SHA512
8ee522e88c9bfbb11cb734def3d1266a046d9fdc8b1f58d59f0bfa3c50d709b579362a0e2162d9dfb207a054dd1f4c41e4cd2d05bfe2b85c81b1ccdd75637eae

Download Submit
memory/1508-144-0x000000001BCE0000-0x000000001BFC2000-memory.dmp

Filesize
2.9MB

Download
memory/1508-145-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/1736-503-0x0000000003CF0000-0x0000000003ED8000-memory.dmp

Filesize
1.9MB

Download
memory/1736-152-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/1736-517-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-521-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-519-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-518-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-516-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-513-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-530-0x0000000003CF0000-0x0000000003ED8000-memory.dmp

Filesize
1.9MB

Download
memory/1736-529-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-528-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-534-0x0000000003CF0000-0x0000000003ED8000-memory.dmp

Filesize
1.9MB

Download
memory/1736-652-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-514-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-151-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1736-599-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-602-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-606-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-612-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-618-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-623-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-631-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-637-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-640-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1736-646-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1884-0-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download