File name:

2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer

Full analysis: https://app.any.run/tasks/09e7e593-cc5b-4a0a-9fa6-45a86610f9f9
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 21:33:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
stealer
arch-scr
arch-html
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

FCD68FCBA38F5A76000BB6E745A76DBB

SHA1:

EE995AA9360764FC090FAF8193A90B71BA3A9023

SHA256:

E5BE5165B0F66C6442435DF759CDECC9FAEEB0B6B9E331FF315F26AD32ADBF4A

SSDEEP:

6144:BTM6qtgn0I+4i5tucngwZXp+V44zPOfBOLzh:BdTcscgwQ44zWZwh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • lite_installer.exe (PID: 188)
      • seederexe.exe (PID: 2880)

    • Steals credentials from Web Browsers

      • seederexe.exe (PID: 2880)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6364)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 6364)

  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • lite_installer.exe (PID: 188)

    • Reads security settings of Internet Explorer

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • Yandex.exe (PID: 4380)
      • lite_installer.exe (PID: 188)
      • explorer.exe (PID: 2368)
      • {311FC486-63CE-420F-BA63-A4C2F61638EB}.exe (PID: 5244)

    • Potential Corporate Privacy Violation

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • lite_installer.exe (PID: 188)

    • Process drops legitimate windows executable

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)

    • Executable content was dropped or overwritten

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • Yandex.exe (PID: 4380)
      • lite_installer.exe (PID: 188)

    • Starts a Microsoft application from unusual location

      • YandexPackSetup.exe (PID: 892)

    • Application launched itself

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 1936)

    • Reads Mozilla Firefox installation path

      • seederexe.exe (PID: 2880)

    • Changes the title of the Internet Explorer window

      • seederexe.exe (PID: 2880)

    • Changes the Home page of Internet Explorer

      • seederexe.exe (PID: 2880)

    • The process creates files with name similar to system file names

      • Yandex.exe (PID: 4380)

    • Starts itself from another location

      • Yandex.exe (PID: 4380)

    • Creates a software uninstall entry

      • Yandex.exe (PID: 4380)

  • INFO

    • The sample compiled with russian language support

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • msiexec.exe (PID: 2296)

    • Checks supported languages

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • YandexPackSetup.exe (PID: 892)
      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 6640)
      • lite_installer.exe (PID: 188)
      • msiexec.exe (PID: 1936)
      • msiexec.exe (PID: 2296)
      • seederexe.exe (PID: 2880)
      • Yandex.exe (PID: 4380)
      • explorer.exe (PID: 2368)
      • sender.exe (PID: 6492)
      • {311FC486-63CE-420F-BA63-A4C2F61638EB}.exe (PID: 5244)
      • identity_helper.exe (PID: 7788)

    • Reads the computer name

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • YandexPackSetup.exe (PID: 892)
      • msiexec.exe (PID: 1936)
      • lite_installer.exe (PID: 188)
      • msiexec.exe (PID: 2296)
      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 6640)
      • Yandex.exe (PID: 4380)
      • seederexe.exe (PID: 2880)
      • explorer.exe (PID: 2368)
      • sender.exe (PID: 6492)
      • {311FC486-63CE-420F-BA63-A4C2F61638EB}.exe (PID: 5244)
      • identity_helper.exe (PID: 7788)

    • Create files in a temporary directory

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 6640)
      • YandexPackSetup.exe (PID: 892)
      • msiexec.exe (PID: 2296)
      • seederexe.exe (PID: 2880)
      • lite_installer.exe (PID: 188)
      • Yandex.exe (PID: 4380)
      • sender.exe (PID: 6492)
      • {311FC486-63CE-420F-BA63-A4C2F61638EB}.exe (PID: 5244)

    • The sample compiled with english language support

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • lite_installer.exe (PID: 188)

    • Reads the software policy settings

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • msiexec.exe (PID: 1936)
      • lite_installer.exe (PID: 188)
      • {311FC486-63CE-420F-BA63-A4C2F61638EB}.exe (PID: 5244)
      • slui.exe (PID: 8088)

    • Process checks computer location settings

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • msiexec.exe (PID: 2296)
      • explorer.exe (PID: 2368)
      • Yandex.exe (PID: 4380)

    • Reads the machine GUID from the registry

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • msiexec.exe (PID: 1936)
      • seederexe.exe (PID: 2880)
      • lite_installer.exe (PID: 188)
      • {311FC486-63CE-420F-BA63-A4C2F61638EB}.exe (PID: 5244)

    • Checks proxy server information

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • lite_installer.exe (PID: 188)
      • {311FC486-63CE-420F-BA63-A4C2F61638EB}.exe (PID: 5244)
      • slui.exe (PID: 8088)

    • Creates files or folders in the user directory

      • 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe (PID: 2952)
      • msiexec.exe (PID: 2296)
      • msiexec.exe (PID: 1936)
      • seederexe.exe (PID: 2880)
      • Yandex.exe (PID: 4380)
      • explorer.exe (PID: 2368)
      • lite_installer.exe (PID: 188)
      • {311FC486-63CE-420F-BA63-A4C2F61638EB}.exe (PID: 5244)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1936)
      • msiexec.exe (PID: 2296)

    • Manual execution by a user

      • {311FC486-63CE-420F-BA63-A4C2F61638EB}.exe (PID: 5244)
      • wscript.exe (PID: 5500)
      • wscript.exe (PID: 1132)
      • wscript.exe (PID: 5616)
      • wscript.exe (PID: 1512)
      • iexplore.exe (PID: 5552)
      • rundll32.exe (PID: 7156)
      • powershell.exe (PID: 6364)
      • rundll32.exe (PID: 7556)
      • rundll32.exe (PID: 4860)
      • rundll32.exe (PID: 7984)
      • rundll32.exe (PID: 7408)
      • rundll32.exe (PID: 7780)
      • rundll32.exe (PID: 7412)
      • wscript.exe (PID: 2044)
      • wscript.exe (PID: 6640)
      • wscript.exe (PID: 3000)
      • wscript.exe (PID: 8168)
      • rundll32.exe (PID: 8172)
      • wscript.exe (PID: 7940)

    • Yandex updater related mutex has been found

      • {311FC486-63CE-420F-BA63-A4C2F61638EB}.exe (PID: 5244)

    • JScript runtime error (SCRIPT)

      • wscript.exe (PID: 5500)
      • wscript.exe (PID: 1132)
      • wscript.exe (PID: 5616)
      • wscript.exe (PID: 1512)
      • wscript.exe (PID: 2044)
      • wscript.exe (PID: 3000)
      • wscript.exe (PID: 7940)

    • Application launched itself

      • msedge.exe (PID: 5564)

    • Reads Microsoft Office registry keys

      • rundll32.exe (PID: 7556)

    • Reads Environment values

      • identity_helper.exe (PID: 7788)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6364)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 7556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:05:19 13:34:48+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 143360
InitializedDataSize: 84992
UninitializedDataSize: -
EntryPoint: 0x74a6
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.1.0.33
ProductVersionNumber: 0.1.0.33
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
FileDescription: Setup Downloader
FileVersion: 0.1.0.33
InternalName: download
LegalCopyright: Copyright (C) 2015 Yandex LLC
OriginalFileName: downloader.exe
ProductName: Setup Downloader
ProductVersion: 0.1.0.33
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
192
Monitored processes
53
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe yandexpacksetup.exe 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe msiexec.exe msiexec.exe lite_installer.exe seederexe.exe yandex.exe explorer.exe no specs sender.exe {311fc486-63ce-420f-ba63-a4c2f61638eb}.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs iexplore.exe no specs msedge.exe rundll32.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs rundll32.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs rundll32.exe no specs slui.exe rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Users\admin\AppData\Local\Temp\3B5D1ACE-E71C-4988-8741-C7E94D1DCFB5\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSERC:\Users\admin\AppData\Local\Temp\3B5D1ACE-E71C-4988-8741-C7E94D1DCFB5\lite_installer.exe
msiexec.exe
User:
admin
Company:
Yandex
Integrity Level:
MEDIUM
Description:
YandexBrowserDownloader
Exit code:
0
Version:
1.0.1.9
Modules
Images
c:\users\admin\appdata\local\temp\3b5d1ace-e71c-4988-8741-c7e94d1dcfb5\lite_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
892"C:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /passive /msicl "VID=138 YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y "C:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Software Installer
Exit code:
0
Version:
3.0.5419.0
Modules
Images
c:\users\admin\appdata\local\temp\7f4987fb1a6e43d69e3e94b29eb75926\yandexpacksetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
1068"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=6208,i,7968495450689684814,661452638619813998,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\build-info.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1512"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\brandings.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1936C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1944"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3676,i,7968495450689684814,661452638619813998,262144 --variations-seed-version --mojo-platform-channel-handle=3688 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2044"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\sovetnik-inject-background.min.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2296C:\Windows\syswow64\MsiExec.exe -Embedding 04B35C066324467322431E54DF4BBC42C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
45 843
Read events
45 676
Write events
149
Delete events
18

Modification events

(PID) Process:(2952) 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2952) 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2952) 2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1936) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
90070000E4B72E2DF4E2DB01
(PID) Process:(1936) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
3B691DA2BCE341BFE1052C8AE15E0071861F86D00ED4F2DC222AC77130B7F062
(PID) Process:(1936) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1936) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:delete valueName:C:\Config.Msi\
Value:
(PID) Process:(1936) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:delete valueName:C:\Config.Msi\17838a.rbs
Value:
Ǜ
(PID) Process:(1936) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:delete valueName:C:\Config.Msi\17838a.rbsLow
Value:
逰ⷕ
(PID) Process:(1936) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:

Executable files
29
Suspicious files
168
Text files
135
Unknown types
0

Dropped files

PID
Process
Filename
Type
892YandexPackSetup.exeC:\Users\admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
MD5:
SHA256:
1936msiexec.exeC:\Windows\Installer\178388.msi
MD5:
SHA256:
29522025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7binary
MD5:88C5F2404CCC01A4F50A107E85463D8C
SHA256:AFBDB6F1E5ED43C943547410A93D22FAC6ED5CDDD804C30A98B940269A667A77
29522025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\seed.txttext
MD5:283062995206F8CBF7C0B50216B9623E
SHA256:63090C637337F10E49D0C0C450657A57A6D9A122A935631C6C2DBD0A37AB4AB9
29522025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:0E669A1C7D05B1CFA8846B7E1E238EB3
SHA256:751B3BD1E51591CDD2932349A06C5F0D2BEF6B452C1887A2D186A7A4D0E36E16
29522025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:13C69E9F9D07097626F33E3485BA9EBC
SHA256:02DF232B04AA185F31785AFC450B3C86F44E006C4DFC0016412AA7CA08D31D6A
29522025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exeexecutable
MD5:DE5CC8B280F3A924E2C3F269FE7618A0
SHA256:167398F1384B8322E60810EAA3CF147E2884580063CB12E19DAB484F63A4BBD6
2296msiexec.exeC:\Users\admin\AppData\Local\Temp\clids-yasearch.xmlxml
MD5:FEA6F718302E8FFC05D4D13669D656AD
SHA256:8D2552ACD25A7E3B3708698F3D91CE042FCC2E640E4C69818931A74C97637B5A
1936msiexec.exeC:\Windows\Installer\MSI85ED.tmpexecutable
MD5:0C80A997D37D930E7317D6DAC8BB7AE1
SHA256:A5DD2F97C6787C335B7807FF9B6966877E9DD811F9E26326837A7D2BD224DE86
2296msiexec.exeC:\Users\admin\AppData\Local\Temp\6158C362-3455-4555-8025-3C076D829CBB\sender.exeexecutable
MD5:F1A8F60C018647902E70CF3869E1563F
SHA256:36022C6ECB3426791E6EDEE9074A3861FE5B660D98F2B2B7C13B80FE11A75577
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
87
TCP/UDP connections
101
DNS requests
64
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2952
2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe
GET
302
37.9.64.225:80
http://downloader.yandex.net/yandex-pack/635487/YandexPackSetup.exe
unknown
whitelisted
1268
svchost.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4960
RUXIMICS.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4960
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2952
2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe
GET
200
5.45.247.26:80
http://cloudcdn-ams22.cdn.yandex.net/downloader.yandex.net/yandex-pack/635487/YandexPackSetup.exe?lid=300
unknown
whitelisted
POST
200
20.190.159.71:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.159.71:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4960
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2952
2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe
37.9.64.225:80
downloader.yandex.net
YANDEX LLC
RU
whitelisted
1268
svchost.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
4960
RUXIMICS.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
5944
MoUsoCoreWorker.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
1268
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
downloader.yandex.net
  • 37.9.64.225
whitelisted
crl.microsoft.com
  • 2.18.121.147
  • 2.18.121.139
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
cloudcdn-ams22.cdn.yandex.net
  • 5.45.247.26
whitelisted
login.live.com
  • 40.126.31.131
  • 20.190.159.71
  • 20.190.159.4
  • 40.126.31.73
  • 40.126.31.71
  • 40.126.31.129
  • 40.126.31.0
  • 40.126.31.128
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
ocsp.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
clck.yandex.ru
  • 77.88.21.14
  • 93.158.134.14
  • 213.180.193.14
  • 87.250.251.14
  • 213.180.204.14
  • 87.250.250.14
whitelisted

Threats

PID
Process
Class
Message
2952
2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
2952
2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer.exe
Misc activity
ET INFO Packed Executable Download
188
lite_installer.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
188
lite_installer.exe
Misc activity
ET INFO EXE - Served Attached HTTP
Process
Message
YandexPackSetup.exe
IsMSISrvFree() In
YandexPackSetup.exe
IsAlreadyRun() In
YandexPackSetup.exe
IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe
IsMSISrvFree() Out ret = 1
YandexPackSetup.exe
IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe
GetSidFromEnumSess(): LsaGetLogonSessionData(0) err = 5
YandexPackSetup.exe
GetLoggedCreds_WTSSessionInfo(): szUserName = admin, szDomain = DESKTOP-JGLLJLD, dwSessionId = 1
YandexPackSetup.exe
GetSidFromEnumSess(): i = 1 : szUserName = admin, szDomain = DESKTOP-JGLLJLD, dwSessionId = 0
YandexPackSetup.exe
GetSidFromEnumSess(): ProfileImagePath(2) = C:\Users\admin
YandexPackSetup.exe
GetSidFromEnumSess(): LsaEnumerateLogonSessions() lpszSid = S-1-5-21-1693682860-607145093-2874071422-1001
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_fcd68fcba38f5a76000bb6e745a76dbb_black-basta_coinminer_elex_hawkeye_hijackloader_luca-stealer