File name:

neko-98-4.0h-installer_LnJSa-1.exe

Full analysis: https://app.any.run/tasks/678c3c56-864b-4686-a1e4-8bfebd2b8339
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 24, 2024, 21:40:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

66661286992414A5BCD4957EBAD5B84F

SHA1:

064E4D4F2B97D43820A59B8E841169AD6A48FD34

SHA256:

A5BD9C0404B84006B5F82B3FEE0119D86CC98B2450CECFAB50991C38FA8CDBB4

SSDEEP:

49152:C7HecD4dnbibBlz2zWoFgBWtsbcXBCd5+G2z80lPFtHHAHdBaw6U7kXNU8CnHDa2:y+cD4dnSDoKOsgMio0lbH0Bawv7yOnnl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • installer.exe (PID: 8020)

    • Steals credentials from Web Browsers

      • servicehost.exe (PID: 7280)

    • Actions looks like stealing of personal data

      • servicehost.exe (PID: 7280)
      • uihost.exe (PID: 7520)

    • Changes the autorun value in the registry

      • instup.exe (PID: 7664)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • neko-98-4.0h-installer_LnJSa-1.exe (PID: 6820)
      • neko-98-4.0h-installer_LnJSa-1.exe (PID: 6912)
      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6960)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6512)
      • avast_free_antivirus_setup_online_x64.exe (PID: 7352)
      • saBSI.exe (PID: 5976)
      • installer.exe (PID: 7872)
      • installer.exe (PID: 8020)
      • Instup.exe (PID: 7544)

    • Reads security settings of Internet Explorer

      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6840)
      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6960)
      • saBSI.exe (PID: 5976)
      • installer.exe (PID: 8020)
      • uihost.exe (PID: 7520)

    • Executable content was dropped or overwritten

      • neko-98-4.0h-installer_LnJSa-1.exe (PID: 6820)
      • neko-98-4.0h-installer_LnJSa-1.exe (PID: 6912)
      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6960)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6512)
      • avast_free_antivirus_setup_online_x64.exe (PID: 7352)
      • saBSI.exe (PID: 5976)
      • installer.exe (PID: 7872)
      • installer.exe (PID: 8020)
      • Instup.exe (PID: 7544)

    • Reads the date of Windows installation

      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6840)
      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6960)

    • Reads the Windows owner or organization settings

      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6960)

    • Potential Corporate Privacy Violation

      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6512)

    • Checks Windows Trust Settings

      • saBSI.exe (PID: 5976)
      • installer.exe (PID: 8020)
      • servicehost.exe (PID: 7280)
      • uihost.exe (PID: 7520)
      • updater.exe (PID: 3964)

    • Process requests binary or script from the Internet

      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6512)

    • The process verifies whether the antivirus software is installed

      • saBSI.exe (PID: 5976)
      • installer.exe (PID: 7872)
      • regsvr32.exe (PID: 6832)
      • regsvr32.exe (PID: 6924)
      • regsvr32.exe (PID: 740)
      • installer.exe (PID: 8020)
      • uihost.exe (PID: 7520)
      • cmd.exe (PID: 3244)
      • updater.exe (PID: 3964)
      • cmd.exe (PID: 6004)
      • cmd.exe (PID: 8004)
      • cmd.exe (PID: 5372)
      • cmd.exe (PID: 6644)
      • instup.exe (PID: 7664)
      • servicehost.exe (PID: 7280)

    • Adds/modifies Windows certificates

      • saBSI.exe (PID: 5976)
      • servicehost.exe (PID: 7280)

    • The process creates files with name similar to system file names

      • installer.exe (PID: 8020)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 6924)
      • regsvr32.exe (PID: 740)

    • Creates a software uninstall entry

      • installer.exe (PID: 8020)
      • servicehost.exe (PID: 7280)

    • Executes as Windows Service

      • servicehost.exe (PID: 7280)

    • Starts itself from another location

      • Instup.exe (PID: 7544)

    • Starts CMD.EXE for commands execution

      • servicehost.exe (PID: 7280)
      • updater.exe (PID: 3964)

    • Reads Mozilla Firefox installation path

      • uihost.exe (PID: 7520)
      • servicehost.exe (PID: 7280)

    • Hides command output

      • cmd.exe (PID: 3244)
      • cmd.exe (PID: 6004)
      • cmd.exe (PID: 8004)

    • Searches for installed software

      • updater.exe (PID: 3964)

    • Process checks presence of unattended files

      • instup.exe (PID: 7664)

    • Process drops legitimate windows executable

      • installer.exe (PID: 8020)

  • INFO

    • Checks supported languages

      • neko-98-4.0h-installer_LnJSa-1.exe (PID: 6820)
      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6840)
      • neko-98-4.0h-installer_LnJSa-1.exe (PID: 6912)
      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6960)
      • saBSI.exe (PID: 5976)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6512)
      • avast_free_antivirus_setup_online_x64.exe (PID: 7352)
      • Instup.exe (PID: 7544)
      • identity_helper.exe (PID: 7776)
      • installer.exe (PID: 7872)
      • installer.exe (PID: 8020)
      • servicehost.exe (PID: 7280)
      • uihost.exe (PID: 7520)
      • instup.exe (PID: 7664)
      • updater.exe (PID: 3964)
      • sbr.exe (PID: 3448)

    • Create files in a temporary directory

      • neko-98-4.0h-installer_LnJSa-1.exe (PID: 6820)
      • neko-98-4.0h-installer_LnJSa-1.exe (PID: 6912)
      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6960)
      • saBSI.exe (PID: 5976)
      • installer.exe (PID: 8020)

    • Reads the computer name

      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6840)
      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6960)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6512)
      • saBSI.exe (PID: 5976)
      • avast_free_antivirus_setup_online_x64.exe (PID: 7352)
      • Instup.exe (PID: 7544)
      • identity_helper.exe (PID: 7776)
      • installer.exe (PID: 8020)
      • servicehost.exe (PID: 7280)
      • uihost.exe (PID: 7520)
      • updater.exe (PID: 3964)
      • instup.exe (PID: 7664)

    • Process checks computer location settings

      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6840)
      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6960)
      • servicehost.exe (PID: 7280)

    • Reads the software policy settings

      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6960)
      • saBSI.exe (PID: 5976)
      • avast_free_antivirus_setup_online_x64.exe (PID: 7352)
      • Instup.exe (PID: 7544)
      • installer.exe (PID: 8020)
      • servicehost.exe (PID: 7280)
      • uihost.exe (PID: 7520)
      • updater.exe (PID: 3964)
      • instup.exe (PID: 7664)

    • Reads Microsoft Office registry keys

      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6840)
      • msedge.exe (PID: 6392)

    • Checks proxy server information

      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6960)
      • saBSI.exe (PID: 5976)
      • avast_free_antivirus_setup_online_x64.exe (PID: 7352)
      • Instup.exe (PID: 7544)
      • instup.exe (PID: 7664)

    • Reads the machine GUID from the registry

      • neko-98-4.0h-installer_LnJSa-1.tmp (PID: 6960)
      • saBSI.exe (PID: 5976)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6512)
      • avast_free_antivirus_setup_online_x64.exe (PID: 7352)
      • Instup.exe (PID: 7544)
      • installer.exe (PID: 8020)
      • servicehost.exe (PID: 7280)
      • uihost.exe (PID: 7520)
      • instup.exe (PID: 7664)
      • updater.exe (PID: 3964)

    • Application launched itself

      • msedge.exe (PID: 6392)

    • Creates files in the program directory

      • saBSI.exe (PID: 5976)
      • avast_free_antivirus_setup_online_x64.exe (PID: 7352)
      • Instup.exe (PID: 7544)
      • installer.exe (PID: 7872)
      • installer.exe (PID: 8020)
      • servicehost.exe (PID: 7280)
      • uihost.exe (PID: 7520)
      • instup.exe (PID: 7664)

    • Reads CPU info

      • avast_free_antivirus_setup_online_x64.exe (PID: 7352)
      • Instup.exe (PID: 7544)
      • instup.exe (PID: 7664)

    • Reads Environment values

      • Instup.exe (PID: 7544)
      • identity_helper.exe (PID: 7776)
      • instup.exe (PID: 7664)
      • servicehost.exe (PID: 7280)

    • Dropped object may contain TOR URL's

      • Instup.exe (PID: 7544)

    • Reads product name

      • servicehost.exe (PID: 7280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 89600
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 423.56.98.8907
ProductVersionNumber: 423.56.98.8907
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: Softonic International SA
FileVersion: 423.56.98.8907
LegalCopyright: ©2023 Softonic International SA
OriginalFileName:
ProductName: Softonic International SA
ProductVersion: 3.1.5.7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
192
Monitored processes
66
Malicious processes
14
Suspicious processes
8

Behavior graph

Click at the process to see the details
start neko-98-4.0h-installer_lnjsa-1.exe neko-98-4.0h-installer_lnjsa-1.tmp no specs neko-98-4.0h-installer_lnjsa-1.exe neko-98-4.0h-installer_lnjsa-1.tmp msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cookie_mmm_irs_ppi_005_888_a.exe sabsi.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs avast_free_antivirus_setup_online_x64.exe msedge.exe no specs instup.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs installer.exe installer.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs msedge.exe no specs msedge.exe no specs servicehost.exe uihost.exe instup.exe cmd.exe no specs conhost.exe no specs updater.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs sbr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
8"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5848 --field-trial-handle=2288,i,17923656470192167953,17711649913324773291,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
300"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6040 --field-trial-handle=2288,i,17923656470192167953,17711649913324773291,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
740regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"C:\Windows\System32\regsvr32.exeinstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1292"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3544 --field-trial-handle=2288,i,17923656470192167953,17711649913324773291,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1748"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=5456 --field-trial-handle=2288,i,17923656470192167953,17711649913324773291,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3032\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3244C:\WINDOWS\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nulC:\Windows\System32\cmd.exeservicehost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3448"C:\Windows\Temp\asw.9e2a96ed029f0526\New_180817ef\sbr.exe" 7664 "Avast Antivirus setup" "Avast Antivirus is being installed. Do not shut down your computer!"C:\Windows\Temp\asw.9e2a96ed029f0526\New_180817ef\sbr.exeinstup.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Shutdown blocker
Version:
24.8.9372.0
Modules
Images
c:\windows\temp\asw.9e2a96ed029f0526\new_180817ef\sbr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3916"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3732 --field-trial-handle=2288,i,17923656470192167953,17711649913324773291,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
60 933
Read events
59 311
Write events
1 606
Delete events
16

Modification events

(PID) Process:(6960) neko-98-4.0h-installer_LnJSa-1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
301B0000FF77D34D6EF6DA01
(PID) Process:(6960) neko-98-4.0h-installer_LnJSa-1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
77C13299B6D25FAFDF2107632C85C006D6C7775392F0D024D616AED99028BA7C
(PID) Process:(6960) neko-98-4.0h-installer_LnJSa-1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6840) neko-98-4.0h-installer_LnJSa-1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6840) neko-98-4.0h-installer_LnJSa-1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6840) neko-98-4.0h-installer_LnJSa-1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6840) neko-98-4.0h-installer_LnJSa-1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6392) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6392) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6392) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
Executable files
66
Suspicious files
481
Text files
971
Unknown types
3

Dropped files

PID
Process
Filename
Type
6912neko-98-4.0h-installer_LnJSa-1.exeC:\Users\admin\AppData\Local\Temp\is-2RC4L.tmp\neko-98-4.0h-installer_LnJSa-1.tmpexecutable
MD5:33527A9070767C2833A72D7C6ACD83F2
SHA256:18BED8A6727A3B322958DC1D85F31BE3A426555C3B3F8B77F04C1B1D1B9E7147
6960neko-98-4.0h-installer_LnJSa-1.tmpC:\Users\admin\AppData\Local\Temp\is-7CT4P.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1228ed.TMP
MD5:
SHA256:
6392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1228ed.TMP
MD5:
SHA256:
6392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1228ed.TMP
MD5:
SHA256:
6392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6820neko-98-4.0h-installer_LnJSa-1.exeC:\Users\admin\AppData\Local\Temp\is-E7VVV.tmp\neko-98-4.0h-installer_LnJSa-1.tmpexecutable
MD5:33527A9070767C2833A72D7C6ACD83F2
SHA256:18BED8A6727A3B322958DC1D85F31BE3A426555C3B3F8B77F04C1B1D1B9E7147
6392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1228fc.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
211
TCP/UDP connections
277
DNS requests
493
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
GET
200
54.239.192.189:443
https://d25qho5rs4tpl0.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip
unknown
GET
200
54.239.192.117:443
https://d25qho5rs4tpl0.cloudfront.net/f/AVAST/files/cookie_mmm_irs_ppi_005_888_a.zip
unknown
OPTIONS
200
23.48.23.51:443
https://bzib.nelreports.net/api/report?cat=bingbusiness
unknown
GET
301
23.67.131.82:443
https://www.mcafee.com/consumer/en-us/policy/legal.html
unknown
POST
200
54.239.192.135:443
https://d25qho5rs4tpl0.cloudfront.net/zbd
unknown
binary
15 b
GET
200
54.239.192.50:443
https://d25qho5rs4tpl0.cloudfront.net/f/WebAdvisor/images/880/update2/EN.png
unknown
image
46.8 Kb
GET
401
13.107.6.158:443
https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox
unknown
binary
585 b
POST
200
54.239.192.189:443
https://d25qho5rs4tpl0.cloudfront.net/o
unknown
binary
4.69 Kb
GET
200
13.107.246.67:443
https://edge-mobile-static.azureedge.net/eccp/get?settenant=edge-config&setplatform=win&setmkt=en-US&setchannel=stable
unknown
binary
13.7 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
5904
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1356
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6960
neko-98-4.0h-installer_LnJSa-1.tmp
54.239.192.135:443
d25qho5rs4tpl0.cloudfront.net
AMAZON-02
US
unknown
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6960
neko-98-4.0h-installer_LnJSa-1.tmp
151.101.65.91:443
images.sftcdn.net
FASTLY
US
unknown
6960
neko-98-4.0h-installer_LnJSa-1.tmp
199.232.194.133:443
gsf-fl.softonic.com
FASTLY
US
unknown
6688
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.74.206
whitelisted
d25qho5rs4tpl0.cloudfront.net
  • 54.239.192.135
  • 54.239.192.50
  • 54.239.192.117
  • 54.239.192.189
whitelisted
images.sftcdn.net
  • 151.101.65.91
  • 151.101.193.91
  • 151.101.129.91
  • 151.101.1.91
whitelisted
gsf-fl.softonic.com
  • 199.232.194.133
  • 199.232.198.133
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.mcafee.com
  • 23.67.131.82
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.67
whitelisted

Threats

PID
Process
Class
Message
6688
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
6688
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
6512
cookie_mmm_irs_ppi_005_888_a.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6688
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
6688
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
Process
Message
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\is-7CT4P.tmp\component1_extract\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\is-7CT4P.tmp\component1_extract\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\is-7CT4P.tmp\component1_extract\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\is-7CT4P.tmp\component1_extract\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\is-7CT4P.tmp\component1_extract\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\is-7CT4P.tmp\component1_extract\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
neko-98-4.0h-installer_LnJSa-1.exe