Malware Analysis Report

2025-01-22 23:09

Sample ID 241213-h74t6atpaj
Target tni.exe
SHA256 2c4b6c01bdaeb1a5b18252fb2d34b5c9499c0bfa7465e714563f6a89d34cf235
Tags
banload discovery downloader dropper evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c4b6c01bdaeb1a5b18252fb2d34b5c9499c0bfa7465e714563f6a89d34cf235

Threat Level: Known bad

The file tni.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion persistence privilege_escalation trojan

Banload

Banload family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Event Triggered Execution: Component Object Model Hijacking

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-13 07:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-13 07:23

Reported

2024-12-13 07:24

Platform

win10ltsc2021-20241211-en

Max time kernel

50s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tni.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\tni.exe = "11000" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InProcServer32\ = "C:\\Windows\\System32\\IME\\SHARED\\imedicapiccps.dll" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0} C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\ = "ImeDicAPIProxy" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tni.exe

"C:\Users\Admin\AppData\Local\Temp\tni.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.softinventive.com udp
US 72.52.196.33:443 www.softinventive.com tcp
US 8.8.8.8:53 33.196.52.72.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

memory/388-0-0x00000000062E0000-0x00000000064C7000-memory.dmp

memory/388-10-0x0000000000400000-0x0000000004063000-memory.dmp

memory/388-12-0x0000000000400000-0x0000000004063000-memory.dmp

memory/388-14-0x0000000000400000-0x0000000004063000-memory.dmp

memory/388-16-0x0000000000400000-0x0000000004063000-memory.dmp

memory/388-17-0x0000000000400000-0x0000000004063000-memory.dmp

memory/388-18-0x0000000000400000-0x0000000004063000-memory.dmp

memory/388-22-0x00000000062E0000-0x00000000064C7000-memory.dmp

memory/388-19-0x0000000000400000-0x0000000004063000-memory.dmp

memory/388-20-0x0000000000400000-0x0000000004063000-memory.dmp

memory/388-24-0x0000000006270000-0x0000000006271000-memory.dmp

memory/388-21-0x0000000000400000-0x0000000004063000-memory.dmp

memory/388-25-0x00000000062E0000-0x00000000064C7000-memory.dmp

memory/388-26-0x00000000062E0000-0x00000000064C7000-memory.dmp

memory/388-27-0x0000000006790000-0x0000000006791000-memory.dmp

memory/388-34-0x0000000000400000-0x0000000004063000-memory.dmp

memory/388-35-0x0000000006270000-0x0000000006271000-memory.dmp

memory/388-36-0x0000000006790000-0x0000000006791000-memory.dmp

memory/388-38-0x0000000000400000-0x0000000004063000-memory.dmp

C:\Users\Admin\Documents\TNI storage\.connections.ini

MD5 651ab69f2413fcae765a1acd0d023539
SHA1 6a54fde9bd07bc2971d0927a2f05aa996554de29
SHA256 46641882899543870a0cd00c1daa1fa784013b8b83735b5935728604464bb11c
SHA512 8647c7c4f17d5bdb6360b0953424273b3797f49e05bb5813a55288e262c6d763a97bb270cee5a6f5fef741b37bc19f5f6c04083d99eab7fde63068c49b8db7fa

memory/388-58-0x00000000062E0000-0x00000000064C7000-memory.dmp

memory/388-56-0x0000000000400000-0x0000000004063000-memory.dmp

memory/388-59-0x0000000000400000-0x0000000004063000-memory.dmp