banload | b0dea552b8e60015ae41b062602655ebca0b310b677c3428126363b0e0a08476

Analysis

max time kernel
153s
max time network
136s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31/03/2025, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Size

46.2MB
MD5

5ad23c8209fd17a66c6e37436f257a91
SHA1

47afe2053859cf1ebe0f45fa75d0ce77945f89da
SHA256

b0dea552b8e60015ae41b062602655ebca0b310b677c3428126363b0e0a08476
SHA512

cd4dad7b8a37c9e141b4e86cc3b861f5a6250f0c716326b9fe295bc36ce3bf2b42fd9630e47677eac333e02d0358b175007fd0bfd4636836ec4871bec626d3c4
SSDEEP

786432:GVmrjV7eIAtBXcnm0+Hm+vwZW9a3kTxI2Un/Elw4+rTEl4ElUyemgEmtV8r8G:GVmrjV7eIjnP+TYZQaB3Ex+HEpUxkrn

Score

10^/10

banload defense_evasion discovery downloader dropper execution persistence privilege_escalation trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
1572	MSIFB27.tmp
2112	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
1736	MSI1817.tmp
2336	register64.exe
844	ezcd.exe

Loads dropped DLL 64 IoCs

pid	Process
2932	MsiExec.exe
2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
1612	MsiExec.exe
1612	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2112	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
2112	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
2184	msiexec.exe
2112	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
2112	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
2336	register64.exe
2112	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
2112	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
2112	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
1336	Process not Found
1336	Process not Found
1336	Process not Found
1336	Process not Found
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe
844	ezcd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\U:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\X:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\D:	ezcd.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\P:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\W:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\Z:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\V:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	ezcd.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\T:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\Y:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\EZ CD Audio Converter\met_wavpack.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_m4af.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-profile-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Assets\Square44x44Logo.targetsize-48.png	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\enc_m4b.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-console-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\enc_raw.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Assets\Square44x44Logo.targetsize-32_altform-unplated.png	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\romana.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\metm_dsf.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\decm_wavpack.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\dec_aac.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_m4b.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\ezcd.exe	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\met_opus.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-crt-string-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\german.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files (x86)\EZ CD Audio Converter\EZ CD Audio Converter\regid.1995-09.com.example_29142d5d-db26-4c45-9f96-5e3944472849.swidtag	MsiExec.exe
File created	C:\Program Files\EZ CD Audio Converter\avcodec-61.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\metm_id3.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Assets\storelogo.scale-400.png	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\avutil-59.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\jiso.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\enc_ac3.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_wavacm.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\ezcdshell.appx	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Assets\Square44x44Logo.targetsize-20.png	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-errorhandling-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-file-l2-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-crt-math-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\spanish.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\decm_flac.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\dec_wma.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_aac.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_mpc.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\met_flac.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\MatroskaMetadata.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-debug-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-interlocked-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_aiff.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\decm_sacd.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\enc_dts.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-crt-environment-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Assets\Square150x150Logo.scale-200.png	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Assets\Square150x150Logo.scale-400.png	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Assets\Square44x44Logo.targetsize-20_altform-unplated.png	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Assets\Square44x44Logo.targetsize-24_altform-unplated.png	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\metm_ape.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\met_dsf.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_ac3mka.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-console-l1-2-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-fibers-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\polish.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\dec_wavpack.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_wav.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\enc_wavpackdsd.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_w64.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-processenvironment-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-processthreads-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\enc_tta.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\Language\chinese traditional.uni	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\encm_xheaac.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\api-ms-win-core-file-l1-1-0.dll	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
File created	C:\Program Files\EZ CD Audio Converter\notify.wav	ez_cd_audio_converter_setup_x64-12.0.1.1.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f77eaa6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77eaa6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77ea9d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC42.tmp	msiexec.exe
File created	C:\Windows\Installer\f77eaa3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI662.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDD9.tmp	msiexec.exe
File created	C:\Windows\Installer\f77eaa0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD99.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77eaa0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7D.tmp	msiexec.exe
File created	C:\Windows\Installer\f77eaa8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1548.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1817.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEF41.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB27.tmp	msiexec.exe
File created	C:\Windows\Installer\f77eaa2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI345.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77eaa3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F9.tmp	msiexec.exe
File created	C:\Windows\Installer\f77ea9d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF07A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF960.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI932.tmp	msiexec.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
1572	MSIFB27.tmp
1736	MSI1817.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1108	powershell.exe
2680	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIFB27.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2F	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EzCd.EzCd.1\CLSID	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EzCd.EzCd	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}\1.0\ = "EzCd Type Library"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}\1.0\0\win64\ = "C:\\Program Files\\EZ CD Audio Converter\\ezcd64.dll"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}\ = "IEzCd"	register64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8DD436A7DD74F054CBC5662268696EB0\7DA6A3856C6D3134F9A61104EBD772CB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\VersionIndependentProgID	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}\TypeLib\Version = "1.0"	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8DD436A7DD74F054CBC5662268696EB0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EzCd.EzCd.1\ = "EzCd Class"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EzCd\ = "{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EB55958-633B-B502-6AF3-56089298885B}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\ProductName = "EZ CD Audio Converter"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay\shell\AudioCD\command\ = "\"C:\\Program Files\\EZ CD Audio Converter\\ezcd.exe\" -nn"	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EB55958-633B-B502-6AF3-56089298885B}\InprocServer32\14.0.0.0	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\PackageCode = "9A977F221962406478E948CFA1B0D001"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\InprocServer32\ = "C:\\Program Files\\EZ CD Audio Converter\\ezcd64.dll"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}\1.0\HELPDIR\ = "C:\\Program Files\\EZ CD Audio Converter"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay\shell\AudioCD\ = "Rip audio CD"	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EB55958-633B-B502-6AF3-56089298885B}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook.OlkOptionButtonClass"	ezcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EzCd.EzCd.1	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EzCd.EzCd\CurVer	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}\ = "IEzCd"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}\TypeLib\ = "{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\EZ CD Audio Converter\\EZ CD Audio Converter 12.0.1.1\\install\\E7D27BC\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay\ = "EZ CD Audio Converter"	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay\shell\EmptyCD	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\931A48B9DD80DBF4AAF66144935235A5\ED7B6546A6BA88D4A9A41AF2AF967480	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}\1.0\0	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\ = "EzCd Class"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\ProductName = "EZ CD Audio Converter"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ED7B6546A6BA88D4A9A41AF2AF967480	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\InprocServer32	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay\shell\AudioCD	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\TypeLib	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay\DefaultIcon	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay\shell	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\Version = "201326593"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\Programmable	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F92}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay\DefaultIcon\ = "\"C:\\Program Files\\EZ CD Audio Converter\\ezcd.exe\",0"	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EB55958-633B-B502-6AF3-56089298885B}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ED7B6546A6BA88D4A9A41AF2AF967480\MainFeature	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7B6546A6BA88D4A9A41AF2AF967480\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E46D6DC6-9707-43A9-BDBB-0BDBDD096F91}\1.0\FLAGS	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}	register64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ezcd.AutoPlay	ez_cd_audio_converter_setup_x64-12.0.1.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7DA6A3856C6D3134F9A61104EBD772CB\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EzCd.EzCd\CurVer\ = "EzCd.EzCd.1"	register64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E46D6DC6-9707-43a9-BDBB-0BDBDD096F90}\ProgID\ = "EzCd.EzCd.1"	register64.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2184	msiexec.exe
2184	msiexec.exe
2184	msiexec.exe
2184	msiexec.exe
1108	powershell.exe
2680	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2184	msiexec.exe
Token: SeTakeOwnershipPrivilege	2184	msiexec.exe
Token: SeSecurityPrivilege	2184	msiexec.exe
Token: SeCreateTokenPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLockMemoryPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeIncreaseQuotaPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeMachineAccountPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeTcbPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSecurityPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeTakeOwnershipPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLoadDriverPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemProfilePrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemtimePrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeProfSingleProcessPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeIncBasePriorityPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreatePagefilePrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreatePermanentPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeBackupPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeRestorePrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeShutdownPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeDebugPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAuditPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemEnvironmentPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeChangeNotifyPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeRemoteShutdownPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeUndockPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSyncAgentPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeEnableDelegationPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeManageVolumePrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeImpersonatePrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreateGlobalPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreateTokenPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLockMemoryPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeIncreaseQuotaPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeMachineAccountPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeTcbPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSecurityPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeTakeOwnershipPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLoadDriverPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemProfilePrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemtimePrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeProfSingleProcessPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeIncBasePriorityPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreatePagefilePrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreatePermanentPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeBackupPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeRestorePrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeShutdownPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeDebugPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAuditPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemEnvironmentPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeChangeNotifyPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeRemoteShutdownPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeUndockPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSyncAgentPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeEnableDelegationPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeManageVolumePrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeImpersonatePrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreateGlobalPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreateTokenPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLockMemoryPrivilege	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
2952	msiexec.exe
1444	msiexec.exe
2952	msiexec.exe
1444	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
844	ezcd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2932	2184	msiexec.exe	31
PID 2184 wrote to memory of 2932	2184	msiexec.exe	31
PID 2184 wrote to memory of 2932	2184	msiexec.exe	31
PID 2184 wrote to memory of 2932	2184	msiexec.exe	31
PID 2184 wrote to memory of 2932	2184	msiexec.exe	31
PID 2184 wrote to memory of 2932	2184	msiexec.exe	31
PID 2184 wrote to memory of 2932	2184	msiexec.exe	31
PID 2736 wrote to memory of 2952	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 2736 wrote to memory of 2952	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 2736 wrote to memory of 2952	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 2736 wrote to memory of 2952	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 2736 wrote to memory of 2952	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 2736 wrote to memory of 2952	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 2736 wrote to memory of 2952	2736	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	32
PID 2184 wrote to memory of 2916	2184	msiexec.exe	33
PID 2184 wrote to memory of 2916	2184	msiexec.exe	33
PID 2184 wrote to memory of 2916	2184	msiexec.exe	33
PID 2184 wrote to memory of 2916	2184	msiexec.exe	33
PID 2184 wrote to memory of 2916	2184	msiexec.exe	33
PID 2184 wrote to memory of 2916	2184	msiexec.exe	33
PID 2184 wrote to memory of 2916	2184	msiexec.exe	33
PID 2184 wrote to memory of 1572	2184	msiexec.exe	34
PID 2184 wrote to memory of 1572	2184	msiexec.exe	34
PID 2184 wrote to memory of 1572	2184	msiexec.exe	34
PID 2184 wrote to memory of 1572	2184	msiexec.exe	34
PID 2184 wrote to memory of 1572	2184	msiexec.exe	34
PID 2184 wrote to memory of 1572	2184	msiexec.exe	34
PID 2184 wrote to memory of 1572	2184	msiexec.exe	34
PID 1572 wrote to memory of 1444	1572	MSIFB27.tmp	35
PID 1572 wrote to memory of 1444	1572	MSIFB27.tmp	35
PID 1572 wrote to memory of 1444	1572	MSIFB27.tmp	35
PID 1572 wrote to memory of 1444	1572	MSIFB27.tmp	35
PID 1572 wrote to memory of 1444	1572	MSIFB27.tmp	35
PID 1572 wrote to memory of 1444	1572	MSIFB27.tmp	35
PID 1572 wrote to memory of 1444	1572	MSIFB27.tmp	35
PID 2184 wrote to memory of 1612	2184	msiexec.exe	36
PID 2184 wrote to memory of 1612	2184	msiexec.exe	36
PID 2184 wrote to memory of 1612	2184	msiexec.exe	36
PID 2184 wrote to memory of 1612	2184	msiexec.exe	36
PID 2184 wrote to memory of 1612	2184	msiexec.exe	36
PID 2184 wrote to memory of 1612	2184	msiexec.exe	36
PID 2184 wrote to memory of 1612	2184	msiexec.exe	36
PID 2184 wrote to memory of 2372	2184	msiexec.exe	37
PID 2184 wrote to memory of 2372	2184	msiexec.exe	37
PID 2184 wrote to memory of 2372	2184	msiexec.exe	37
PID 2184 wrote to memory of 2372	2184	msiexec.exe	37
PID 2184 wrote to memory of 2372	2184	msiexec.exe	37
PID 2184 wrote to memory of 2372	2184	msiexec.exe	37
PID 2184 wrote to memory of 2372	2184	msiexec.exe	37
PID 2184 wrote to memory of 2000	2184	msiexec.exe	38
PID 2184 wrote to memory of 2000	2184	msiexec.exe	38
PID 2184 wrote to memory of 2000	2184	msiexec.exe	38
PID 2184 wrote to memory of 2000	2184	msiexec.exe	38
PID 2184 wrote to memory of 2000	2184	msiexec.exe	38
PID 2184 wrote to memory of 2000	2184	msiexec.exe	38
PID 2184 wrote to memory of 2000	2184	msiexec.exe	38
PID 2184 wrote to memory of 2112	2184	msiexec.exe	39
PID 2184 wrote to memory of 2112	2184	msiexec.exe	39
PID 2184 wrote to memory of 2112	2184	msiexec.exe	39
PID 2184 wrote to memory of 2112	2184	msiexec.exe	39
PID 2184 wrote to memory of 2112	2184	msiexec.exe	39
PID 2184 wrote to memory of 2112	2184	msiexec.exe	39
PID 2184 wrote to memory of 2112	2184	msiexec.exe	39
PID 2184 wrote to memory of 1736	2184	msiexec.exe	40

C:\Users\Admin\AppData\Local\Temp\2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\EZ CD Audio Converter\EZ CD Audio Converter 12.0.1.1\install\E7D27BC\Setup.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1743124190 "
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:2952

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1529A3D042C18671DC34A51715B70F96 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2932
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3129DDB28C27563CB6CEC0DE03DF24AD
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2916
- C:\Windows\Installer\MSIFB27.tmp
  "C:\Windows\Installer\MSIFB27.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Temp\setup.msi"
  2⤵
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1444
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5C966E33A8BBF5C15E83BA8985BDA838 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1612
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 312E4D51C07D128C8109A45EB2C20E57
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A7C192854557CF3649DF8C99DC5F1779 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\ez_cd_audio_converter_setup_x64-12.0.1.1.exe
  "C:\Users\Admin\AppData\Local\Temp\ez_cd_audio_converter_setup_x64-12.0.1.1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2112
- - C:\Program Files\EZ CD Audio Converter\register64.exe
    "C:\Program Files\EZ CD Audio Converter\register64.exe" register
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:2336
- - C:\Program Files\EZ CD Audio Converter\ezcd.exe
    "C:\Program Files\EZ CD Audio Converter\ezcd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:844
- C:\Windows\Installer\MSI1817.tmp
  "C:\Windows\Installer\MSI1817.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Temp\cmd.bat"
  2⤵
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  PID:1736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
    3⤵
    PID:1992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "tar -xf N.jpg -C $env:public"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Move-Item -Path 'N.jpg' -Destination $env:public"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2680

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c
1⤵
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77eaa1.rbs

Filesize
1.9MB

MD5
78eca4dfbfe99af3865c97de335bbba3

SHA1
e0531fb867bd8ceac929a3c720c8e17836f5e4cf

SHA256
5208b43178a2acedb145259a2fbe0e78f5ece7de6ef08324b65d632cf1c0f43e

SHA512
dca667d48ea60eb1c22f544ac4f94c23ee5d74c0f3525a8b1ff0b62dc79b1d5dfa2494c0dc107241a57cd4e4e538c0466d01d622aae01310edfde5ec3b13c689

Download Submit
C:\Config.Msi\f77eaa7.rbs

Filesize
1.9MB

MD5
09d8bb392b8e7b86ab5c40a70783e069

SHA1
063509540a4b6882bc236f8c110decec4d8d7b03

SHA256
ac29801a00a8e53b715a15e9d5d6545f0e9c487e2401342df9061796c0e752ff

SHA512
661c612da6481177b448791afcb12206a6106be77c6a0fe9ab6034070900a39659cb3757bc40b8c3742dc79bb45fe5510c21b33e4aa75e5f627e56d6abbe26d5

Download Submit
C:\Program Files\EZ CD Audio Converter\API-MS-WIN-CRT-STDIO-L1-1-0.DLL

Filesize
25KB

MD5
c9103f6861fa14345cfb763189292cb4

SHA1
f3959ba76d98add1f7e502f01aa470efe7df24ee

SHA256
e4a6bd5d65d39da4424ab7828959cfeb7c362e29008bc63ecf16fb3b20001807

SHA512
e14c23a8a1913b10598ee57381ba9d51880b1615c995a54d7dfb65af6bf22c4d2740225fe20ddfc0309d2dd043db2505b063644588608b4b7b32382082b2ab43

Download Submit
C:\Program Files\EZ CD Audio Converter\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
75c8a3c1dfe2096f1a2c6ba51de7196f

SHA1
eb17720383791d75ccc2ed729900c1e8e8165504

SHA256
3d95961590fe6da5c569bcb0a54651488e70dd7b15c257e1b9faf8a3cc0e63e4

SHA512
8c6af5c49a321d60b14032780bf6d93a51ed7fe97940e06dfb251d295f51f2788cd7931a848cea94607d81acb9bb225086dd879159e67cda0c355173e69543ea

Download Submit
C:\Program Files\EZ CD Audio Converter\ucrtbase.DLL

Filesize
1.1MB

MD5
6a44a2235d33b3f154fc50dc72e8ea61

SHA1
e98127a010bc6555e50e2ce7eba6ead8d8e13bf3

SHA256
91d027417ff2301b7135e864a5df6693488f8412ff87040f4897e0e03bc2577b

SHA512
057595ef00dc41aab49d654dc1b8dfdfaad58a3e2cf764db71090413b04e07c618d4592b390d170a4fbbc02f04c68f11b382258e3bf13a1791c6bfc97df7687b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\EZ CD Audio Converter\converter_normal.txt

Filesize
682B

MD5
5fe1e6f8fb8ac21f63049cf39089f53a

SHA1
3176505294c2b2022fbcd227a2493b2a20fb2533

SHA256
b4e717f9ef7af9ba991f9c36b56cb9b4f51fe3b8f29b738496f3af4dcb48d47e

SHA512
a9668866637c6f5e22ea0bcaf2fa56d81beb78540b419ef8ce41118d0cf7cbf766f38b8c0d6ab72839f2874075aa1e8526a815d95d9f05e4a2a59d00e9640ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE540.tmp

Filesize
997KB

MD5
ee09d6a1bb908b42c05fd0beeb67dfd2

SHA1
1eb7c1304b7bca649c2a5902b18a1ea57ceaa532

SHA256
7bbf611f5e2a16439dc8cd11936f6364f6d5cc0044545c92775da5646afc7752

SHA512
2dd2e4e66d2f2277f031c5f3c829a31c3b29196ab27262c6a8f1896a2113a1be1687c9e8cd9667b89157f099dfb969ef14ae3ea602d4c772e960bc41d39c3d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.jpg

Filesize
748KB

MD5
77a525a2fe92d8e23c5c998fc4a1c69a

SHA1
fd1c8824ff28ce087922b791925436a4fbca1389

SHA256
96428e36617977b9289b8ae83bdf0542557d82b7eb051ef8778ef6e26aeca228

SHA512
a1b663152f3c8c3c984ab562b038e54fe4d8486b605d8a6684c2f0b595d00087584267dd82e769893e64b69287094dd7ad5b682b1fd7a4f846938f80309dffb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCA1A.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
379B

MD5
792e9112b9726f770a5ca41fb70e06ee

SHA1
1cd73dc1f39cd5d95ccf6ce17e77f4a113d57540

SHA256
da8efe220f30659356c0cbd12b455d7f531259b55986e36702e617ae04adf412

SHA512
11b9b89a1239b1af1a0952fba7d8b0f8953adf3bec4c38534c70a1d21d67579a29cfa6bd00fce3152deaffeeac326e465052b33adaa676c98c3b87ce5f6d696d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ez_cd_audio_converter_setup_x64-12.0.1.1.exe

Filesize
39.4MB

MD5
bb90a50012560b0d8e68e86201dec567

SHA1
84f0d7ecdfebc2d0fd7ca3ec096a4662d8464570

SHA256
36ba743905a360037896c52d27af3c5e127683ab2c69a37eca718de121761f2d

SHA512
1c5ea48cb81d6ed9b785ab58677685c9716a179bacbc09fa2d16e71769a9ad498572f4e7629b89f28072a282625b0893f6ff7250a8ea0ab6317a7d2d1628d9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj171A.tmp\modern-wizard.bmp

Filesize
150KB

MD5
5dc251b994c2499628eaca24b0ec587f

SHA1
6904b12c39e4765414a4502ca59bd6405e39b364

SHA256
22727d9d1e3e0fe0df182c23b15d6a126ed19c2d1781af8d56e43f87e6506ac1

SHA512
ffba72a87ba1462e62fbaa19015a1a443423ff807483f5e2dafeeae9be3e40505769bda5a1b88eedc8e67b92900961e0d30f9e714e5a96a9b2f1d4a3f6150ad1

Download Submit
C:\Users\Admin\AppData\Roaming\EZ CD Audio Converter\EZ CD Audio Converter 12.0.1.1\install\E7D27BC\Setup.msi

Filesize
3.7MB

MD5
351a6f10aeed68dd1131b2a99545793a

SHA1
8cdfa38ff8e774bc196130a64cbdaa6369c7f385

SHA256
a9fe53323e9c89bb836d8adcb2d1c36d4d1f84373f4277ee14b8df3aa3272e65

SHA512
5417ebf76f311a43d32c82e9662e7b790cc149afd25cd35af75dfbe477099e701b5fa194428a47a001b9c64dae0d4dff779ede6b1b894f9264e4d743437b99bf

Download Submit
C:\Users\Admin\AppData\Roaming\EZ CD Audio Converter\EZ CD Audio Converter 12.0.1.1\install\E7D27BC\TempFolder\setup.msi

Filesize
2.9MB

MD5
a18598ac9402f45ba22cea4f7bdd4782

SHA1
76db003cee073a307a28b8dc2a901d587d014377

SHA256
696736cd779c3e16f75faffffcace334e9b71399b0650cb745d72acf4acfe224

SHA512
7c384fd092162e90005243df9b3497f879f54e91a0e614ffc1ac2b11e119d0cadc7e5a4e3f4d84ab77640f0e8d5a1a326e1eaf5ea4fbc4ac75616d3b84009e8e

Download Submit
C:\Users\Admin\AppData\Roaming\EZ CD Audio Converter\EZ CD Audio Converter 12.0.1.1\install\E7D27BC\TempFolder\setup1.cab

Filesize
39.8MB

MD5
627b5e0d1a432aa6e66ce5dd5af8baa6

SHA1
fafdb61d971f2741eac3a7bbefb754db64bf0c70

SHA256
51d580e3f429a018591ea0df27f13e87efdd0692070ea9104fd1210750ba85e6

SHA512
5aba06618e0ff8cc8544aa1c0fc5b1cd7bee17442e841e82c4e047d6a21c34e1a8a4b6b08f386019e689eecc7e17201b57caa52e5da6a0a501b1bfc6f645a6b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9f09a34958fc50456265785cdc70387a

SHA1
3e5790c9dd35c205ea9363e16610b04094594858

SHA256
f3e23c24b35984b21372da756f36167c3ac5f07b217e6711785ea4f779753307

SHA512
6c3ea41b9f1f9b4a9e2bc3e7db5429a55564a376503e982c66e4f357732ae83239f9f3e30a40392e63b787aa71216b4b26d353e72b01a7f38851679d8385cd0a

Download Submit
C:\Windows\Installer\MSIF9AF.tmp

Filesize
967KB

MD5
bf6adc8f7e5afea02b8514b3f93dc30b

SHA1
1eea8393c3481d2be5b68af98efe70493dea1b1f

SHA256
5011c2403744c70efa01ce5341a8da118667268d74a0f046a5f7e93290b69529

SHA512
b1bb78aabd5a16c8f88c70e16fae90a15dd426dd014291e82952416c3f6a60413c642c1d46e586079f0a3904f88d53f37195acb2e001c0586f61baf675ffda72

Download Submit
C:\Windows\Installer\MSIFB27.tmp

Filesize
411KB

MD5
daefcc204211c3d179eacc0c6ee4bcc6

SHA1
3bfc444a87d30dcc77730ad5bdb65b9593b50925

SHA256
d74b55c93e4991ac882af31978a186a797ac9cde0c93747094e0422106b8d100

SHA512
6aa70b0a48868b3de1dd0a96835db024ae325ae3fc5725567d54369b91c20972c1c3b7c8620f2189784010cf44bb6577a75702ef20f71f4eaf75deaf149492d1

Download Submit
\Program Files\EZ CD Audio Converter\ezcd.exe

Filesize
8.6MB

MD5
40665f02ec466d58f39307b3b7582a00

SHA1
82f81ee2f5805d0dcc6ea107d81bbfcd5019ee79

SHA256
64ea1b5673152de5ea87dfc68c0461321c3f3d1a1d9d45f1f35dff14df65295a

SHA512
cd87108535f4cd34bd4ec2dfd05e10e5e1dc5cbfd130cc9834cfc1ba1a45c2db1a4171c6009987dcff365a1c4c07952841f6ac2788e4c5875bcd2b7a33d52b80

Download Submit
\Program Files\EZ CD Audio Converter\ezcd64.dll

Filesize
692KB

MD5
af4b35101d3f77fae67f9a0fdcc62559

SHA1
3b94904a6565bf46e47baecb5e1ee5d1701a19a6

SHA256
cd1728e4cb3eff23d5d9c85c36037f84370dbc7625fae7fad5e49887ea392455

SHA512
3c18e16556b0a922f8cc0aa22206cf053d3ca54acdb6de980f2073fb26097a6db951f24d1c22d8a03c4b9d3344030be921913e77cb8c69b9cbe7399f798b9c15

Download Submit
\Program Files\EZ CD Audio Converter\register64.exe

Filesize
148KB

MD5
5872f17645e7ae8436d7607bbbf16cd2

SHA1
767b605431383444afc4d3ca714cc1a9e57f75ff

SHA256
d536a588a513c62145a7f4c1541ae64ddb8495049ceeb4204575266181c91e0d

SHA512
dffb23a467d4eeb19bc4fa3d89337b490bc33522d8d4b74dd82919103d7b44d1912bd11008368649321b12278b50cc9f036d9a195d792774610c93b037440326

Download Submit
\Users\Admin\AppData\Local\Temp\nsj171A.tmp\LangDLL.dll

Filesize
5KB

MD5
08de81a4584f5201086f57a7a93ed83b

SHA1
266a6ecc8fb7dca115e6915cd75e2595816841a8

SHA256
4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

SHA512
b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

Download Submit
\Users\Admin\AppData\Local\Temp\nsj171A.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
\Users\Admin\AppData\Local\Temp\nsj171A.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca5bb0ee2b698869c41c087c9854487c

SHA1
4a8abbb2544f1a9555e57a142a147dfeb40c4ca4

SHA256
c719697d5ced17d97bbc48662327339ccec7e03f6552aa1d5c248f6fa5f16324

SHA512
363a80843d7601ba119bc981c4346188f490b388e3ed390a0667aaf5138b885eec6c69d4e7f60f93b069d6550277f4c926bd0f37bc893928111dc62494124770

Download Submit
\Users\Admin\AppData\Local\Temp\preE763.tmp

Filesize
886KB

MD5
1d51848e7512c27af22cdf0213e11cf5

SHA1
d35ab52e49c82bb72f0ad7c7568035e8a41564e4

SHA256
0b73497f2ad7a4a04f36b8d46816c5404ba828d7feeca90b3abe28599e9c4619

SHA512
b6513f1ab6af820fd139ba5fe5399268077c328b8dbd19471db203f94f6aec2702baaec37209b4056531cab56d54b09f6d446f0f398befa1cc9cd4f77e65e079

Download Submit
\Windows\Installer\MSI1817.tmp

Filesize
532KB

MD5
74a4833cf5cd5396535b5f236569e0f2

SHA1
c1f97472ed374066dd1dac8b5b7c587c283b1ad2

SHA256
831375810426bd21735509c377b28e5553e3b59026c48f579b1143ec70b40fd1

SHA512
8ee522e88c9bfbb11cb734def3d1266a046d9fdc8b1f58d59f0bfa3c50d709b579362a0e2162d9dfb207a054dd1f4c41e4cd2d05bfe2b85c81b1ccdd75637eae

Download Submit
memory/844-520-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-604-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-515-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-518-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-641-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-517-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-519-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-636-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-522-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-632-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-500-0x0000000003D50000-0x0000000003F38000-memory.dmp

Filesize
1.9MB

Download
memory/844-531-0x0000000003D50000-0x0000000003F38000-memory.dmp

Filesize
1.9MB

Download
memory/844-530-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-529-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-533-0x0000000003D50000-0x0000000003F38000-memory.dmp

Filesize
1.9MB

Download
memory/844-624-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-541-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-619-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-613-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-513-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/844-607-0x0000000000400000-0x0000000001D17000-memory.dmp

Filesize
25.1MB

Download
memory/1108-145-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/1108-146-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/2680-164-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2680-163-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/2736-81-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2736-0-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download