Malware Analysis Report

2025-01-22 23:11

Sample ID 241213-jc74rstqcm
Target tni.exe
SHA256 2c4b6c01bdaeb1a5b18252fb2d34b5c9499c0bfa7465e714563f6a89d34cf235
Tags
banload discovery downloader dropper evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c4b6c01bdaeb1a5b18252fb2d34b5c9499c0bfa7465e714563f6a89d34cf235

Threat Level: Known bad

The file tni.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion persistence privilege_escalation trojan

Banload

Banload family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Event Triggered Execution: Component Object Model Hijacking

Checks BIOS information in registry

Checks installed software on the system

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-13 07:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-13 07:32

Reported

2024-12-13 07:35

Platform

win7-20241010-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tni.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\tni.exe = "11000" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0} C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\ = "CFrameRateConvertDmo" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32\ = "C:\\Windows\\System32\\mfvdsp.dll" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tni.exe

"C:\Users\Admin\AppData\Local\Temp\tni.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.softinventive.com udp
US 72.52.196.33:443 www.softinventive.com tcp

Files

memory/1604-0-0x0000000005FB0000-0x0000000006197000-memory.dmp

memory/1604-10-0x0000000000400000-0x0000000004063000-memory.dmp

memory/1604-17-0x0000000000400000-0x0000000004063000-memory.dmp

memory/1604-12-0x0000000000400000-0x0000000004063000-memory.dmp

memory/1604-14-0x0000000000400000-0x0000000004063000-memory.dmp

memory/1604-16-0x0000000000400000-0x0000000004063000-memory.dmp

memory/1604-18-0x0000000000400000-0x0000000004063000-memory.dmp

memory/1604-22-0x0000000005FB0000-0x0000000006197000-memory.dmp

memory/1604-20-0x0000000000400000-0x0000000004063000-memory.dmp

memory/1604-19-0x0000000000400000-0x0000000004063000-memory.dmp

memory/1604-24-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

memory/1604-25-0x0000000005FB0000-0x0000000006197000-memory.dmp

memory/1604-21-0x0000000000400000-0x0000000004063000-memory.dmp

memory/1604-33-0x0000000000400000-0x0000000004063000-memory.dmp

memory/1604-34-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

memory/1604-36-0x0000000000400000-0x0000000004063000-memory.dmp

memory/1604-37-0x0000000000400000-0x0000000004063000-memory.dmp

memory/1604-55-0x0000000000400000-0x0000000004063000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-13 07:32

Reported

2024-12-13 07:35

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tni.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\tni.exe = "11000" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_FOLLOWHTTPREDIRECT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP\tni.exe = "1" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\tni.exe = "0" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\ProgId\ = "System.Security.Policy.AllMembershipCondition" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32\Assembly = "mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32\Class = "System.Security.Policy.AllMembershipCondition" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\ProgId C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0} C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\ = "System.Security.Policy.AllMembershipCondition" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29} C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450AE28B-0A85-21BC-CA5E-3E3A77AA26F0}\InprocServer32\ = "C:\\Windows\\System32\\mscoree.dll" C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tni.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tni.exe

"C:\Users\Admin\AppData\Local\Temp\tni.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 www.softinventive.com udp
US 72.52.196.33:443 www.softinventive.com tcp
US 8.8.8.8:53 33.196.52.72.in-addr.arpa udp

Files

memory/4904-0-0x0000000006370000-0x0000000006557000-memory.dmp

memory/4904-10-0x0000000000400000-0x0000000004063000-memory.dmp

memory/4904-12-0x0000000000400000-0x0000000004063000-memory.dmp

memory/4904-14-0x0000000000400000-0x0000000004063000-memory.dmp

memory/4904-16-0x0000000000400000-0x0000000004063000-memory.dmp

memory/4904-17-0x0000000000400000-0x0000000004063000-memory.dmp

memory/4904-18-0x0000000000400000-0x0000000004063000-memory.dmp

memory/4904-19-0x0000000000400000-0x0000000004063000-memory.dmp

memory/4904-22-0x0000000006370000-0x0000000006557000-memory.dmp

memory/4904-20-0x0000000000400000-0x0000000004063000-memory.dmp

memory/4904-21-0x0000000000400000-0x0000000004063000-memory.dmp

memory/4904-24-0x0000000005D10000-0x0000000005D11000-memory.dmp

memory/4904-25-0x0000000006370000-0x0000000006557000-memory.dmp

memory/4904-27-0x0000000000400000-0x0000000004063000-memory.dmp

memory/4904-29-0x0000000000400000-0x0000000004063000-memory.dmp

memory/4904-30-0x0000000006B50000-0x0000000006B51000-memory.dmp

memory/4904-37-0x0000000005D10000-0x0000000005D11000-memory.dmp

memory/4904-38-0x0000000000400000-0x0000000004063000-memory.dmp

memory/4904-39-0x0000000006B50000-0x0000000006B51000-memory.dmp

memory/4904-41-0x0000000000400000-0x0000000004063000-memory.dmp