Analysis Overview
SHA256
2c4b6c01bdaeb1a5b18252fb2d34b5c9499c0bfa7465e714563f6a89d34cf235
Threat Level: Known bad
The file tni.exe was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-13 07:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-13 07:23
Reported
2024-12-13 07:24
Platform
win10ltsc2021-20241211-en
Max time kernel
50s
Max time network
35s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\tni.exe = "11000" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InProcServer32\ = "C:\\Windows\\System32\\IME\\SHARED\\imedicapiccps.dll" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0} | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\ = "ImeDicAPIProxy" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tni.exe
"C:\Users\Admin\AppData\Local\Temp\tni.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.softinventive.com | udp |
| US | 72.52.196.33:443 | www.softinventive.com | tcp |
| US | 8.8.8.8:53 | 33.196.52.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
Files
memory/388-0-0x00000000062E0000-0x00000000064C7000-memory.dmp
memory/388-10-0x0000000000400000-0x0000000004063000-memory.dmp
memory/388-12-0x0000000000400000-0x0000000004063000-memory.dmp
memory/388-14-0x0000000000400000-0x0000000004063000-memory.dmp
memory/388-16-0x0000000000400000-0x0000000004063000-memory.dmp
memory/388-17-0x0000000000400000-0x0000000004063000-memory.dmp
memory/388-18-0x0000000000400000-0x0000000004063000-memory.dmp
memory/388-22-0x00000000062E0000-0x00000000064C7000-memory.dmp
memory/388-19-0x0000000000400000-0x0000000004063000-memory.dmp
memory/388-20-0x0000000000400000-0x0000000004063000-memory.dmp
memory/388-24-0x0000000006270000-0x0000000006271000-memory.dmp
memory/388-21-0x0000000000400000-0x0000000004063000-memory.dmp
memory/388-25-0x00000000062E0000-0x00000000064C7000-memory.dmp
memory/388-26-0x00000000062E0000-0x00000000064C7000-memory.dmp
memory/388-27-0x0000000006790000-0x0000000006791000-memory.dmp
memory/388-34-0x0000000000400000-0x0000000004063000-memory.dmp
memory/388-35-0x0000000006270000-0x0000000006271000-memory.dmp
memory/388-36-0x0000000006790000-0x0000000006791000-memory.dmp
memory/388-38-0x0000000000400000-0x0000000004063000-memory.dmp
C:\Users\Admin\Documents\TNI storage\.connections.ini
| MD5 | 651ab69f2413fcae765a1acd0d023539 |
| SHA1 | 6a54fde9bd07bc2971d0927a2f05aa996554de29 |
| SHA256 | 46641882899543870a0cd00c1daa1fa784013b8b83735b5935728604464bb11c |
| SHA512 | 8647c7c4f17d5bdb6360b0953424273b3797f49e05bb5813a55288e262c6d763a97bb270cee5a6f5fef741b37bc19f5f6c04083d99eab7fde63068c49b8db7fa |
memory/388-58-0x00000000062E0000-0x00000000064C7000-memory.dmp
memory/388-56-0x0000000000400000-0x0000000004063000-memory.dmp
memory/388-59-0x0000000000400000-0x0000000004063000-memory.dmp