Analysis Overview
SHA256
2c4b6c01bdaeb1a5b18252fb2d34b5c9499c0bfa7465e714563f6a89d34cf235
Threat Level: Known bad
The file tni.exe was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Event Triggered Execution: Component Object Model Hijacking
Checks BIOS information in registry
Checks installed software on the system
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-13 07:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-13 07:32
Reported
2024-12-13 07:35
Platform
win7-20241010-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\tni.exe = "11000" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0} | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\ = "CFrameRateConvertDmo" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32\ = "C:\\Windows\\System32\\mfvdsp.dll" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tni.exe
"C:\Users\Admin\AppData\Local\Temp\tni.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.softinventive.com | udp |
| US | 72.52.196.33:443 | www.softinventive.com | tcp |
Files
memory/1604-0-0x0000000005FB0000-0x0000000006197000-memory.dmp
memory/1604-10-0x0000000000400000-0x0000000004063000-memory.dmp
memory/1604-17-0x0000000000400000-0x0000000004063000-memory.dmp
memory/1604-12-0x0000000000400000-0x0000000004063000-memory.dmp
memory/1604-14-0x0000000000400000-0x0000000004063000-memory.dmp
memory/1604-16-0x0000000000400000-0x0000000004063000-memory.dmp
memory/1604-18-0x0000000000400000-0x0000000004063000-memory.dmp
memory/1604-22-0x0000000005FB0000-0x0000000006197000-memory.dmp
memory/1604-20-0x0000000000400000-0x0000000004063000-memory.dmp
memory/1604-19-0x0000000000400000-0x0000000004063000-memory.dmp
memory/1604-24-0x0000000005CE0000-0x0000000005CE1000-memory.dmp
memory/1604-25-0x0000000005FB0000-0x0000000006197000-memory.dmp
memory/1604-21-0x0000000000400000-0x0000000004063000-memory.dmp
memory/1604-33-0x0000000000400000-0x0000000004063000-memory.dmp
memory/1604-34-0x0000000005CE0000-0x0000000005CE1000-memory.dmp
memory/1604-36-0x0000000000400000-0x0000000004063000-memory.dmp
memory/1604-37-0x0000000000400000-0x0000000004063000-memory.dmp
memory/1604-55-0x0000000000400000-0x0000000004063000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-13 07:32
Reported
2024-12-13 07:35
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\tni.exe = "11000" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP\tni.exe = "1" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\tni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\ProgId\ = "System.Security.Policy.AllMembershipCondition" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32\Assembly = "mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32\Class = "System.Security.Policy.AllMembershipCondition" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\ProgId | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0} | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\ = "System.Security.Policy.AllMembershipCondition" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29} | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32\ = "C:\\Windows\\System32\\mscoree.dll" | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tni.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tni.exe
"C:\Users\Admin\AppData\Local\Temp\tni.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.softinventive.com | udp |
| US | 72.52.196.33:443 | www.softinventive.com | tcp |
| US | 8.8.8.8:53 | 33.196.52.72.in-addr.arpa | udp |
Files
memory/4904-0-0x0000000006370000-0x0000000006557000-memory.dmp
memory/4904-10-0x0000000000400000-0x0000000004063000-memory.dmp
memory/4904-12-0x0000000000400000-0x0000000004063000-memory.dmp
memory/4904-14-0x0000000000400000-0x0000000004063000-memory.dmp
memory/4904-16-0x0000000000400000-0x0000000004063000-memory.dmp
memory/4904-17-0x0000000000400000-0x0000000004063000-memory.dmp
memory/4904-18-0x0000000000400000-0x0000000004063000-memory.dmp
memory/4904-19-0x0000000000400000-0x0000000004063000-memory.dmp
memory/4904-22-0x0000000006370000-0x0000000006557000-memory.dmp
memory/4904-20-0x0000000000400000-0x0000000004063000-memory.dmp
memory/4904-21-0x0000000000400000-0x0000000004063000-memory.dmp
memory/4904-24-0x0000000005D10000-0x0000000005D11000-memory.dmp
memory/4904-25-0x0000000006370000-0x0000000006557000-memory.dmp
memory/4904-27-0x0000000000400000-0x0000000004063000-memory.dmp
memory/4904-29-0x0000000000400000-0x0000000004063000-memory.dmp
memory/4904-30-0x0000000006B50000-0x0000000006B51000-memory.dmp
memory/4904-37-0x0000000005D10000-0x0000000005D11000-memory.dmp
memory/4904-38-0x0000000000400000-0x0000000004063000-memory.dmp
memory/4904-39-0x0000000006B50000-0x0000000006B51000-memory.dmp
memory/4904-41-0x0000000000400000-0x0000000004063000-memory.dmp