Edit tour

Windows Analysis Report
NinjaRMMAgentPatcher.exe

Overview

General Information

Sample Name:	NinjaRMMAgentPatcher.exe
Analysis ID:	620091
MD5:	f6c1a6015e7c5ce658b9efcdb211d092
SHA1:	8313b005765e64f90ae4f16001f5c798b1cc9410
SHA256:	8292bd816a9c1ddb07c842703a4a346aaf9d250d7b860c9681209fca85c10a9d
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Uses code obfuscation techniques (call, push, ret)

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

NinjaRMMAgentPatcher.exe (PID: 7020 cmdline: "C:\Users\user\Desktop\NinjaRMMAgentPatcher.exe" MD5: F6C1A6015E7C5CE658B9EFCDB211D092)

conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: NinjaRMMAgentPatcher.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: NinjaRMMAgentPatcher.exe

Static PE information: certificate valid

Source: NinjaRMMAgentPatcher.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\uvcpkgs\master\buildtrees\curl\x86-windows-static-v140-rel\src\curl.pdb source: NinjaRMMAgentPatcher.exe
Source:	Binary string: ssl\bio_ssl.cSSLv3/TLS read certificate statusSSLv3/TLS write next protoSSLv3/TLS read next protoSSLv3/TLS write certificate statusbefore SSL initializationSSL negotiation finished successfullySSLv3/TLS write client helloSSLv3/TLS read server helloSSLv3/TLS read server certificateSSLv3/TLS read server key exchangeSSLv3/TLS read server certificate requestSSLv3/TLS read server session ticketSSLv3/TLS read server doneSSLv3/TLS write client certificateSSLv3/TLS write client key exchangeSSLv3/TLS write certificate verifySSLv3/TLS write change cipher specSSLv3/TLS write finishedSSLv3/TLS read change cipher specSSLv3/TLS read finishedSSLv3/TLS read client helloSSLv3/TLS write hello requestSSLv3/TLS write server helloSSLv3/TLS write certificateSSLv3/TLS write key exchangeSSLv3/TLS write certificate requestSSLv3/TLS write session ticketSSLv3/TLS write server doneSSLv3/TLS read client certificateSSLv3/TLS read client key exchangeSSLv3/TLS read certificate verifyDTLS1 read hello verify requestDTLS1 write hello verify requestTLSv1.3 write encrypted extensionsTLSv1.3 read encrypted extensionsTLSv1.3 read server certificate verifyTLSv1.3 write server certificate verifySSLv3/TLS read hello requestTLSv1.3 write server key updateTLSv1.3 write client key updateTLSv1.3 read client key updateTLSv1.3 read server key updateTLSv1.3 early dataTLSv1.3 pending early data endTLSv1.3 write end of early dataTLSv1.3 read end of early dataSSLERRTRNPTWSTTWCSTRCSTRSTTWNPPINIT SSLOK TWCHTRSHTRSCTRSKETRCRTRSDTWCCTWCKETWCVTWCCSTWFINTRCCSTRFINTWHRTRCHTWSHTWSCTWSKETWCRTWSDTRCCTRCKETRCVDRCHVDWCHVTWEETREETRSCVTRHRTWSKUTWCKUTRCKUTRSKUTEDTPEDETWEOEDUNKWN close notifyunexpected_messagebad record macdecompression failurehandshake failureno certificatebad certificateunsupported certificatecertificate expiredcertificate unknownillegal parameterrecord overflowunknown CAaccess deniedexport restrictionprotocol versionuser canceledunsupported extensioncertificate unobtainableunrecognized namebad certificate status responsebad certificate hash valueunknown PSK identitycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\rand\randfile.cFilename=RANDFILEHOMESYSTEMROOT.rnd source: NinjaRMMAgentPatcher.exe, 00000000.00000002.456021640.000000000202E000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\BuildAgent\work\5fd0d3984528b628\3rdparty\qtstatic\proxy_process\build_release_x64\release\NinjaRMMProxyProcess64.pdb source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437042331.00000000019D4000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: expected true storage.pDb_ != NULL source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\BuildAgent\work\aac9931d38d89885\build_root_x86\NinjaRMMAgentPatcher\NinjaRMMAgentPatcher.pdb source: NinjaRMMAgentPatcher.exe, 00000000.00000002.456021640.000000000202E000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: NinjaRMMAgentPatcher.exe
Source:	Binary string: expected true is_opened()D:\BuildAgent\work\aac9931d38d89885\src\ninjarmm-agentlib\persistence/sqlite_storage.h);expected true actual_bind_size == expected_bind_sizeD:\BuildAgent\work\aac9931d38d89885\src\ninjarmm-agentlib\persistence/sqlite_binders.h:%d :%d error %d: ..\src\ninjarmm-agentlib\persistence\sqlite_storage.cppexpected true pDb_ != NULLexpected true pStatementTextexpected true pStmtexpected true storage.pDb_ != NULLexpected true storage.pDb_ == pStorage_->pDb_..\src\ninjarmm-agentlib\persistence\sqlite_binders.cpp%s:%d can't bind rowid value [%llu] to statement param %d%s:%d can't map row param %d value [%d] to table_STATUS_v1::status_tue5o87wpno;q836 iop[lpkskop' o9871sdkjh ;srghj ;lwrg-mwnoetiuh w;oi46thgn ajog oq873r50q23l; [56984239465T-2305 3[5T8 QU -MV964 [YW08456 agfq 725184340Q2N 9ERa;slfhg;sl ;-ASIUWY98476-3WM5VM [] -070I .]0StatusSoftware\NinjaRMM LLC\NinjaRMMAgent\Server\Actions\Agent\NinjaWPM === Start of all settings === === Server settings === === Agent settings === === NinjaWPM settings === === End of all settings ===DefaultHTTPProto..\3rdparty\qtstatic\shared\settings.cpp0.0.00.0.0.1Access error on save settings to: %1. Please set right permissions for current user. On Windows: Regedit -> <target path> -> Permissions -> <target user> -> Full access. On Unix: chmod 777 <target path>Error on set settings for: %1, error type: %2, key: %3, val: %4, isWritable: %5, permissions: %6Failed to read for key {} : {}/{}SECURE_READ_SETTINGS_FAILUREPendingProxyRemovalProxyHostNo Proxy to remove.ProxyTypeProxyPortProxyAuthNameProxy removal completed.Reading Proxy info No proxy settings found -> Using direct connection.Proxy type "no" detected -> Using direct connection.Setting Proxy info source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\ex_data.c source: NinjaRMMAgentPatcher.exe
Source:	Binary string: D:\uvcpkgs\master\buildtrees\nj-winpty\x86-windows-static-v140-rel\winpty-agent.pdb source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\BuildAgent\work\aac9931d38d89885\build_root_x86\3rdparty\qtstatic\njcli\ninjarmm-cli.pdb source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: expected true storage.pDb_ == pStorage_->pDb_ source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\BuildAgent\work\5fd0d3984528b628\3rdparty\qtstatic\proxy_process\build_release_x64\release\NinjaRMMProxyProcess64.pdbM source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437042331.00000000019D4000.00000002.00000001.01000000.00000003.sdmp

Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp

String found in binary or memory: 04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)

Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://bugreports.qt.io/
Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://bugreports.qt.io/_q_receiveReplyMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s5-6.crl0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://s.symcd.com06
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.432775465.0000000001240000.00000002.00000001.01000000.00000003.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000002.450472842.0000000001240000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.phreedom.org/md5)08:27
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: https://curl.haxx.se/P
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.html
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: https://curl.haxx.se/libcurl/c/curl_easy_setopt.html
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/netty/netty/issues/6520.
Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/netty/netty/issues/6520.s
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/cert
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.432775465.0000000001240000.00000002.00000001.01000000.00000003.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000002.450472842.0000000001240000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://powershellexplained.com/2017-05-27-Powershell-module-building-basics/
Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://resources.ninjarmm.com/AgentInstallers/cabarc_5.2.3790.0.zip
Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://resources.ninjarmm.com/AgentInstallers/cabarc_5.2.3790.0.zip16841d3e9f88e032be1f769da9ab0901
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444575056.000000000291A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/#t
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.443980428.0000000002998000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444196669.000000000299B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/$
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444303402.0000000002972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/-
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.445392311.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/.
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444735633.00000000028EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/1
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444575056.000000000291A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/=t
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444735633.00000000028EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/G
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444303402.0000000002972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/M
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/%-/K
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.443972838.0000000004363000.00000004.00000800.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444192172.0000000004366000.00000004.00000800.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444342528.0000000004366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/0
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444722835.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/1
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/4-
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/5._J
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/:..J
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444722835.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/=
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/D.LJ
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/G-MK
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444722835.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/L
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/V-zK
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/W.
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444722835.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/_
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444735633.00000000028EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/e
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/f.jJ
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444722835.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/n
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/q.
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444817089.00000000028D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/rr&
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.445414438.00000000028D2000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.445404472.00000000028D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/v
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444722835.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/y
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444575056.000000000291A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/Ot
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444735633.00000000028EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/Q
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.443980428.0000000002998000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444196669.000000000299B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/R
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444735633.00000000028EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/c
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/https://resources.ninjarmm.com/Bitdefender/MAC/Account
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444303402.0000000002972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/i
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444514343.000000000294E000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444359674.0000000002945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/n
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.445392311.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/r
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.443980428.0000000002998000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000002.457756140.000000000299C000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444196669.000000000299B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/rp:J
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444303402.0000000002972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/u
Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444514343.000000000294E000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444359674.0000000002945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/v
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: https://resources.ninjarmm.com/components/gravityzone/
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: https://resources.ninjarmm.com/components/gravityzone/(https?
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: https://resources.ninjarmm.com/components/gravityzone/sample_policy_tmp_2.json
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.432775465.0000000001240000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.432775465.0000000001240000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: \AsynchDNSDebugTrackMemoryIDNIPv6LargefileSSPIGSS-APIKerberosSPNEGONTLMNTLM_WBSSLlibzbrotliCharConvTLS-SRPHTTP2HTTP3UnixSocketsHTTPS-proxyMultiSSLPSLESNI --abstract-unix-socket <path>Connect via abstract Unix domain socket --alt-svc <file name>Enable alt-svc with this cache file --anyauthPick any authentication method-a, --appendAppend to target file when uploading --basicUse HTTP Basic Authentication --cacert <file>CA certificate to verify peer against --capath <dir>CA directory to verify peer against-E, --cert <certificate[:password]>Client certificate file and password --cert-statusVerify the status of the server certificate --cert-type <type>Certificate file type (DER/PEM/ENG) --ciphers <list of ciphers>SSL ciphers to use --compressedRequest compressed response --compressed-sshEnable SSH compression-K, --config <file>Read config from a file --connect-timeout <seconds>Maximum time allowed for connection --connect-to <HOST1:PORT1:HOST2:PORT2>Connect to host-C, --continue-at <offset>Resumed transfer offset-b, --cookie <data\|filename>Send cookies from string/file-c, --cookie-jar <filename>Write cookies to <filename> after operation --create-dirsCreate necessary local directory hierarchy --crlfConvert LF to CRLF in upload --crlfile <file>Get a CRL list in PEM format from the given file-d, --data <data>HTTP POST data --data-ascii <data>HTTP POST ASCII data --data-binary <data>HTTP POST binary data --data-raw <data>HTTP POST data, '@' allowedUsage: curl [options...] <url> %-19s %s
Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.450472842.0000000001240000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.450472842.0000000001240000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: \AsynchDNSDebugTrackMemoryIDNIPv6LargefileSSPIGSS-APIKerberosSPNEGONTLMNTLM_WBSSLlibzbrotliCharConvTLS-SRPHTTP2HTTP3UnixSocketsHTTPS-proxyMultiSSLPSLESNI --abstract-unix-socket <path>Connect via abstract Unix domain socket --alt-svc <file name>Enable alt-svc with this cache file --anyauthPick any authentication method-a, --appendAppend to target file when uploading --basicUse HTTP Basic Authentication --cacert <file>CA certificate to verify peer against --capath <dir>CA directory to verify peer against-E, --cert <certificate[:password]>Client certificate file and password --cert-statusVerify the status of the server certificate --cert-type <type>Certificate file type (DER/PEM/ENG) --ciphers <list of ciphers>SSL ciphers to use --compressedRequest compressed response --compressed-sshEnable SSH compression-K, --config <file>Read config from a file --connect-timeout <seconds>Maximum time allowed for connection --connect-to <HOST1:PORT1:HOST2:PORT2>Connect to host-C, --continue-at <offset>Resumed transfer offset-b, --cookie <data\|filename>Send cookies from string/file-c, --cookie-jar <filename>Write cookies to <filename> after operation --create-dirsCreate necessary local directory hierarchy --crlfConvert LF to CRLF in upload --crlfile <file>Get a CRL list in PEM format from the given file-d, --data <data>HTTP POST data --data-ascii <data>HTTP POST ASCII data --data-binary <data>HTTP POST binary data --data-raw <data>HTTP POST data, '@' allowedUsage: curl [options...] <url> %-19s %s
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: \AsynchDNSDebugTrackMemoryIDNIPv6LargefileSSPIGSS-APIKerberosSPNEGONTLMNTLM_WBSSLlibzbrotliCharConvTLS-SRPHTTP2HTTP3UnixSocketsHTTPS-proxyMultiSSLPSLESNI --abstract-unix-socket <path>Connect via abstract Unix domain socket --alt-svc <file name>Enable alt-svc with this cache file --anyauthPick any authentication method-a, --appendAppend to target file when uploading --basicUse HTTP Basic Authentication --cacert <file>CA certificate to verify peer against --capath <dir>CA directory to verify peer against-E, --cert <certificate[:password]>Client certificate file and password --cert-statusVerify the status of the server certificate --cert-type <type>Certificate file type (DER/PEM/ENG) --ciphers <list of ciphers>SSL ciphers to use --compressedRequest compressed response --compressed-sshEnable SSH compression-K, --config <file>Read config from a file --connect-timeout <seconds>Maximum time allowed for connection --connect-to <HOST1:PORT1:HOST2:PORT2>Connect to host-C, --continue-at <offset>Resumed transfer offset-b, --cookie <data\|filename>Send cookies from string/file-c, --cookie-jar <filename>Write cookies to <filename> after operation --create-dirsCreate necessary local directory hierarchy --crlfConvert LF to CRLF in upload --crlfile <file>Get a CRL list in PEM format from the given file-d, --data <data>HTTP POST data --data-ascii <data>HTTP POST ASCII data --data-binary <data>HTTP POST binary data --data-raw <data>HTTP POST data, '@' allowedUsage: curl [options...] <url> %-19s %s

Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.457161859.00000000028AA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: NinjaRMMAgentPatcher.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNinjaRMMProxyProcess64.exe: vs NinjaRMMAgentPatcher.exe
Source: NinjaRMMAgentPatcher.exe, 00000000.00000000.432775465.0000000001240000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecurl.exeH vs NinjaRMMAgentPatcher.exe
Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.450472842.0000000001240000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecurl.exeH vs NinjaRMMAgentPatcher.exe
Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.456309933.0000000002131000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNinjaRMMAgentPatcherJ vs NinjaRMMAgentPatcher.exe
Source: NinjaRMMAgentPatcher.exe	Binary or memory string: OriginalFilenamecurl.exeH vs NinjaRMMAgentPatcher.exe

Source: NinjaRMMAgentPatcher.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: NinjaRMMAgentPatcher.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NinjaRMMAgentPatcher.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NinjaRMMAgentPatcher.exe "C:\Users\user\Desktop\NinjaRMMAgentPatcher.exe"
Source: C:\Users\user\Desktop\NinjaRMMAgentPatcher.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_01

Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000002.453149064.000000000187E000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: com.slnishinomiya.hyogo.jpkustanai.rucom.snpassenger-association.aerocom.sotsushima.nagasaki.jpcom.stuy.comx.seisa-geek.comcom.sv

Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: Installer cannot load one of its configuration files (install_config.xml, install_x86.xml/install_x64.xml) or cannot find addition
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: Installer cannot load one of its configuration files (install_config.xml, install_x86.xml/install_x64.xml) or cannot find additional.dll
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: zJPlhFAILED_HTTP_POST_{}Got error {} when POST to {}D:\BuildAgent\work\aac9931d38d89885\src\ninjarmm-common\httpdownloader.hFIX ME! Failed to capture distress message!FAILED_HTTP_GET_{}Got error {} when calling GET from {}https://resources.ninjarmm.com/Bitdefender/https://resources.ninjarmm.com/Bitdefender/MAC/Account is restrictedThe installer was run under an user with insufficient privilegesInstaller.exe is not compliant with the operating system architectureThe product configuration JSON could not be run at the end of the installationInstaller cannot load one of its configuration files (install_config.xml, install_x86.xml/install_x64.xml) or cannot find additional.dllA restart action is pending as a result of another maintenance (install, repair, modify, uninstall) operation that required restart in order to finish correctlyThere isn't enough space on the disk for the product to be installedUnsupported operating system. The list of supported operated systems can be found hereWrong Windows Installer version installed on the machineInstaller.exe is already running. Or, in case installer runs silent without "modify", "repair" or "remove" command line parameter specified on a machine where the product has already been installed. This code is also returned when an older version of the product is run over a newer versionUninstalling a competitor product failedThe installer was started with an invalid command line or no feature was selected to be installed. Valid installer command line arguments are defined in Installer parameters sectionError code returned when installer runs silent and it needs reboot to finish its maintenance processThe installer cannot create the installation path, for any reasonAnother installation is in progressThe provided installation path is invalidThe provided installation path is a network drive. Installation not allowed on network drives (including mapped drives)The password provided for a maintenance operation does not match the password set at installationRemote scan engines are selected to be installed on the system and remote scan is not enabled or no remote scan servers are specified GetLastError() Other Windows error codes in different situationsModify failed at update stage because of a connection problem between the client and the update server The operation may be retried after the connection is establishedModify failed at update stage because the downloaded files were corrupted The operation may be retried after any network problem that might corrupt the files is solvedModify failed at update stage because the connection to the update server has timedout The operation may be retriedModify failed at update stage because the update server has not yet synchronized the update locations(the update location hasn't been requested yet by any client; the update server will begin to synchronize it at the first request) A retry is highly advisableModify failed at update stage because the update server isn't configured to
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: /config/installed.conf
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: Pfirstsecondthirdfourth..\3rdparty\qtstatic\shared\utils.cppSuccessfully removed: Failed to remove: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePageOEMCP^.%1.$yesnopenultimatelastyyyy-MM-ddThh:mm:ssZhh:mm:ssyyyy-MM-ddThh:mm:ss\AgentHKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NinjaRMM LLC\NinjaRMMAgentNodeIdHKEY_LOCAL_MACHINE\SOFTWARE\NinjaRMM LLC\NinjaRMMAgentRemoving authId since it has expired..nodes_____action_jobscontentjobUidstartTimeendTimejobTypecreateTimesourceNamesourceUidupdateTimejobResultjobStatusresultContentactivitiesactivityTypeseverityactivityStatus%1%2.oldbat:/scripts/%1.%2%1/%2.%3File {} already exists, and checksum is good.Old file {} detected, will attempt to removeSuccessfully removed file {}Failed to remove file {}Successfully copied {} to {}Failed to copy {} to {}ps1Wrong call to unpack PowerShell script, data-replacement not supported for signed scripts.UNPACK_SCRIPT_PSH_WRONG_FUNCERROR: Failed to open file '%1': %2ERROR: Failed to set permissions for file '%1': %2Utils::executeScript: file not foundFailed to execute file '%1': %2Executed script, Script output:powershell-ExecutionPolicyBypass-FScript Result: %1/%2Removing Flag Successfully removedFailed to removeIGNORE_VERSION_MISMACHEnviornment variable to ignore version mismatch is set!237810ReadOwnerWriteOwnerExeOwnerReadUserWriteUserExeUserReadGroupWriteGroupExeGroupReadOtherWriteOtherExeOther%1/%2/%1/%2/%3ddMMyyyy_HH.mm.ss{datetime}Unable to open file: Variable %1 doesn't exist by path: %2Failed to get value for variable.Failed to open R_KEY by path.No errorHKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NinjaRMM LLC\NinjaRMMAgent\AgentHKEY_LOCAL_MACHINE\SOFTWARE\NinjaRMM LLC\NinjaRMMAgent\Agent/config/installed.confC:/ProgramData/ is installed by NinjaInstall Flag is not set to 1 so is not installed by NinjaInstall Flag is not set so largeFileUploadThresh/config/user_adjustbale.confERROR: getLargeFileUploadThresh could not set / read value, using the default of : useroptionsconsolePasswordC:\Users\userProfileDocumentsMy Documents
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: ZcproductStatedefinitionStatus-INSTALL_STARTEDBitdefender installation startedagent_act_bitdefender_inst_startANTIVIRUSBITDEFENDER_INSTALLATION_STARTEDint __thiscall BitDefenderWorker::installBitDefender(const class QString &)..\3rdparty\qtstatic\svclib\workers\bitdefenderworker.cppBitDefender sucessfully installedBitdefender installation successfully finishedagent_act_bitdefender_inst_successBITDEFENDER_INSTALLATION_SUCCEEDEDBitDefenderInstalledByNinjaBitdefender needs a reboot to be installedINSTALL_FAILEDA reboot is needed for Bitdefender to retry and complete installationagent_act_bitdefender_inst_fail_rebootBITDEFENDER_INSTALLATION_FAILEDBitdefender installation failed. Error code is #%1: %2Bitdefender installation failed. Error code is #%1: Unknown error codeagent_act_bitdefender_inst_fail_codeerror_codeerror_msgError installBitDefender result=BitDefenderWorker::uninstall() called. isInstalledByNinja [{}]workThroughProxyProcess: {}, isBitDefenderIntegrationServiceStarted: {}bool __thiscall BitDefenderWorker::uninstall(void)Proxy is not started... attempt to startUnsetting password in progressUNINSTALL_REQUESTEDBitdefender has started uninstallationagent_act_bitdefender_uninst_startedBITDEFENDER_UNINSTALLATION_STARTED%1/logs/bd_uninstall.log
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: false-start
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: http1.001http1.102http203http2-prior-knowledge04http309http0.91tlsv110tlsv1.011tlsv1.112tlsv1.213tlsv1.31Atls13-ciphers1Bproxy-tls13-ciphers2sslv23sslv34ipv46ipv6aappendAuser-agentbcookiebaalt-svcBuse-asciiccookie-jarCcontinue-atddatadrdata-rawdadata-asciidbdata-binarydedata-urlencodeDdump-headererefererEcertEacacertEbcert-typeEckeyEdkey-typeEepassEfengineEgcapathEhpubkeyEihostpubmd5EjcrlfileEktlsuserEltlspasswordEmtlsauthtypeEnssl-allow-beastEppinnedpubkeyEPproxy-pinnedpubkeyEqcert-statusErfalse-startEsssl-no-revokeEttcp-fastopenEuproxy-tlsuserEvproxy-tlspasswordEwproxy-tlsauthtypeExproxy-certEyproxy-cert-typeEzproxy-keyE0proxy-key-typeE1proxy-passE2proxy-ciphersE3proxy-crlfileE4proxy-ssl-allow-beastE5login-optionsE6proxy-cacertE7proxy-capathE8proxy-insecureE9proxy-tlsv1EAsocks5-basicEBsocks5-gssapiECetag-saveEDetag-compareffailfafail-earlyfbstyled-outputFformFsform-stringggloboffGgetGarequest-targethhelpHheaderHpproxy-headeriincludeIheadjjunk-session-cookiesJremote-header-namekinsecureKconfigllist-onlyLlocationLtlocation-trustedmmax-timeMmanualnnetrcnonetrc-optionalnenetrc-fileNbufferooutputOremote-nameOaremote-name-allpproxytunnelPftp-portqdisableQquoterrangeRremote-timessilentSshow-errorttelnet-optionTupload-fileuuserUproxy-uservverboseVversionwwrite-outxproxyxapreproxyXrequestYspeed-limityspeed-timeztime-condZparallelZbparallel-maxZcparallel-immediate#progress-bar#mprogress-meter:next\
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: dns-ipv4-addr
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: dns-ipv6-addr
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: --dns-ipv4-addr <address>
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: --dns-ipv6-addr <address>
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: --false-start
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: -h, --help
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: -h, --help
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: \@url4dns-ipv4-addr6dns-ipv6-addrarandom-filebegd-fileBoauth2-bearercconnect-timeoutCdoh-urldciphersDdns-interfaceedisable-epsvfdisallow-username-in-urlEepsvFdns-serversgtraceGnpnhtrace-asciiHalpnilimit-ratejcompressedJtr-encodingkdigestlnegotiatemntlmMntlm-wbnbasicoanyauthqftp-create-dirsrcreate-dirssmax-redirstproxy-ntlmucrlfvstderrwinterfacexkrbkrb4Xhaproxy-protocolymax-filesizezdisable-eprtZeprt~xattr$aftp-sslssl$bftp-pasv$csocks5$dtcp-nodelay$eproxy-digest$fproxy-basic$gretry$Vretry-connrefused$hretry-delay$iretry-max-time$kproxy-negotiate$mftp-account$nproxy-anyauth$otrace-time$pignore-content-length$qftp-skip-pasv-ip$rftp-method$slocal-port$tsocks4$Tsocks4a$uftp-alternative-to-user$vftp-ssl-reqdssl-reqd$wsessionid$xftp-ssl-control$yftp-ssl-ccc$jftp-ssl-ccc-mode$zlibcurl$#raw$0post301$1keepalive$2socks5-hostname$3keepalive-time$4post302$5noproxy$7socks5-gssapi-nec$8proxy1.0$9tftp-blksize$Amail-from$Bmail-rcpt$Cftp-pret$Dproto$Eproto-redir$Fresolve$Gdelegation$Hmail-auth$Ipost303$Jmetalink$6sasl-authzid$Ksasl-ir$Ltest-event$Munix-socket$Npath-as-is$Osocks5-gssapi-serviceproxy-service-name$Pservice-name$Qproto-default$Rexpect100-timeout$Stftp-no-options$Uconnect-to$Wabstract-unix-socket$Xtls-max$Ysuppress-connect-headers$Zcompressed-ssh$~happy-eyeballs-timeout-ms0pkcs11::\D:\uvcpkgs\master\buildtrees\curl\src\url-7_68_0-cd669cc759\src\tool_getparam.cinvalid number specified for %s
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: --dump-module-pathsNote: Warning: curl: curl: try 'curl --help' for more information
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: --dump-module-pathsNote: Warning: curl: curl: try 'curl --help' for more information
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: set-addPolicy
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: id-cmc-addExtensions
Source: NinjaRMMAgentPatcher.exe	String found in binary or memory: Get-ADDefaultDomainPasswordPolicy

Source: classification engine

Classification label: clean2.winEXE@2/1@0/0

Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.456021640.000000000202E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.456021640.000000000202E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: NinjaRMMAgentPatcher.exe, 00000000.00000002.456021640.000000000202E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: NinjaRMMAgentPatcher.exe

Static file information: File size 25645616 > 1048576

Source: NinjaRMMAgentPatcher.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: NinjaRMMAgentPatcher.exe

Static PE information: certificate valid

Source: NinjaRMMAgentPatcher.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x91e200
Source: NinjaRMMAgentPatcher.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xeb4c00

Source: NinjaRMMAgentPatcher.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: NinjaRMMAgentPatcher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NinjaRMMAgentPatcher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NinjaRMMAgentPatcher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NinjaRMMAgentPatcher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NinjaRMMAgentPatcher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NinjaRMMAgentPatcher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NinjaRMMAgentPatcher.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: NinjaRMMAgentPatcher.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\uvcpkgs\master\buildtrees\curl\x86-windows-static-v140-rel\src\curl.pdb source: NinjaRMMAgentPatcher.exe
Source:	Binary string: ssl\bio_ssl.cSSLv3/TLS read certificate statusSSLv3/TLS write next protoSSLv3/TLS read next protoSSLv3/TLS write certificate statusbefore SSL initializationSSL negotiation finished successfullySSLv3/TLS write client helloSSLv3/TLS read server helloSSLv3/TLS read server certificateSSLv3/TLS read server key exchangeSSLv3/TLS read server certificate requestSSLv3/TLS read server session ticketSSLv3/TLS read server doneSSLv3/TLS write client certificateSSLv3/TLS write client key exchangeSSLv3/TLS write certificate verifySSLv3/TLS write change cipher specSSLv3/TLS write finishedSSLv3/TLS read change cipher specSSLv3/TLS read finishedSSLv3/TLS read client helloSSLv3/TLS write hello requestSSLv3/TLS write server helloSSLv3/TLS write certificateSSLv3/TLS write key exchangeSSLv3/TLS write certificate requestSSLv3/TLS write session ticketSSLv3/TLS write server doneSSLv3/TLS read client certificateSSLv3/TLS read client key exchangeSSLv3/TLS read certificate verifyDTLS1 read hello verify requestDTLS1 write hello verify requestTLSv1.3 write encrypted extensionsTLSv1.3 read encrypted extensionsTLSv1.3 read server certificate verifyTLSv1.3 write server certificate verifySSLv3/TLS read hello requestTLSv1.3 write server key updateTLSv1.3 write client key updateTLSv1.3 read client key updateTLSv1.3 read server key updateTLSv1.3 early dataTLSv1.3 pending early data endTLSv1.3 write end of early dataTLSv1.3 read end of early dataSSLERRTRNPTWSTTWCSTRCSTRSTTWNPPINIT SSLOK TWCHTRSHTRSCTRSKETRCRTRSDTWCCTWCKETWCVTWCCSTWFINTRCCSTRFINTWHRTRCHTWSHTWSCTWSKETWCRTWSDTRCCTRCKETRCVDRCHVDWCHVTWEETREETRSCVTRHRTWSKUTWCKUTRCKUTRSKUTEDTPEDETWEOEDUNKWN close notifyunexpected_messagebad record macdecompression failurehandshake failureno certificatebad certificateunsupported certificatecertificate expiredcertificate unknownillegal parameterrecord overflowunknown CAaccess deniedexport restrictionprotocol versionuser canceledunsupported extensioncertificate unobtainableunrecognized namebad certificate status responsebad certificate hash valueunknown PSK identitycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\rand\randfile.cFilename=RANDFILEHOMESYSTEMROOT.rnd source: NinjaRMMAgentPatcher.exe, 00000000.00000002.456021640.000000000202E000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\BuildAgent\work\5fd0d3984528b628\3rdparty\qtstatic\proxy_process\build_release_x64\release\NinjaRMMProxyProcess64.pdb source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437042331.00000000019D4000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: expected true storage.pDb_ != NULL source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\BuildAgent\work\aac9931d38d89885\build_root_x86\NinjaRMMAgentPatcher\NinjaRMMAgentPatcher.pdb source: NinjaRMMAgentPatcher.exe, 00000000.00000002.456021640.000000000202E000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: NinjaRMMAgentPatcher.exe
Source:	Binary string: expected true is_opened()D:\BuildAgent\work\aac9931d38d89885\src\ninjarmm-agentlib\persistence/sqlite_storage.h);expected true actual_bind_size == expected_bind_sizeD:\BuildAgent\work\aac9931d38d89885\src\ninjarmm-agentlib\persistence/sqlite_binders.h:%d :%d error %d: ..\src\ninjarmm-agentlib\persistence\sqlite_storage.cppexpected true pDb_ != NULLexpected true pStatementTextexpected true pStmtexpected true storage.pDb_ != NULLexpected true storage.pDb_ == pStorage_->pDb_..\src\ninjarmm-agentlib\persistence\sqlite_binders.cpp%s:%d can't bind rowid value [%llu] to statement param %d%s:%d can't map row param %d value [%d] to table_STATUS_v1::status_tue5o87wpno;q836 iop[lpkskop' o9871sdkjh ;srghj ;lwrg-mwnoetiuh w;oi46thgn ajog oq873r50q23l; [56984239465T-2305 3[5T8 QU -MV964 [YW08456 agfq 725184340Q2N 9ERa;slfhg;sl ;-ASIUWY98476-3WM5VM [] -070I .]0StatusSoftware\NinjaRMM LLC\NinjaRMMAgent\Server\Actions\Agent\NinjaWPM === Start of all settings === === Server settings === === Agent settings === === NinjaWPM settings === === End of all settings ===DefaultHTTPProto..\3rdparty\qtstatic\shared\settings.cpp0.0.00.0.0.1Access error on save settings to: %1. Please set right permissions for current user. On Windows: Regedit -> <target path> -> Permissions -> <target user> -> Full access. On Unix: chmod 777 <target path>Error on set settings for: %1, error type: %2, key: %3, val: %4, isWritable: %5, permissions: %6Failed to read for key {} : {}/{}SECURE_READ_SETTINGS_FAILUREPendingProxyRemovalProxyHostNo Proxy to remove.ProxyTypeProxyPortProxyAuthNameProxy removal completed.Reading Proxy info No proxy settings found -> Using direct connection.Proxy type "no" detected -> Using direct connection.Setting Proxy info source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\ex_data.c source: NinjaRMMAgentPatcher.exe
Source:	Binary string: D:\uvcpkgs\master\buildtrees\nj-winpty\x86-windows-static-v140-rel\winpty-agent.pdb source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\BuildAgent\work\aac9931d38d89885\build_root_x86\3rdparty\qtstatic\njcli\ninjarmm-cli.pdb source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: expected true storage.pDb_ == pStorage_->pDb_ source: NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\BuildAgent\work\5fd0d3984528b628\3rdparty\qtstatic\proxy_process\build_release_x64\release\NinjaRMMProxyProcess64.pdbM source: NinjaRMMAgentPatcher.exe, 00000000.00000000.437042331.00000000019D4000.00000002.00000001.01000000.00000003.sdmp

Source: NinjaRMMAgentPatcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NinjaRMMAgentPatcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NinjaRMMAgentPatcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NinjaRMMAgentPatcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NinjaRMMAgentPatcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\NinjaRMMAgentPatcher.exe	Code function: 0_3_0299465E pushad ; retf	0_3_02994692
Source: C:\Users\user\Desktop\NinjaRMMAgentPatcher.exe	Code function: 0_3_0298E6C1 push esp; retn 004Eh	0_3_0298E6C2
Source: C:\Users\user\Desktop\NinjaRMMAgentPatcher.exe	Code function: 0_3_029946BC pushad ; retn 004Ah	0_3_029946DA

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: NinjaRMMAgentPatcher.exe, 00000000.00000003.444769467.00000000028DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: NinjaRMMAgentPatcher.exe	Binary or memory string: Hyper-V Virtual Disk (VHD-format) fixed

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Process Injection	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NinjaRMMAgentPatcher.exe	0%	Virustotal		Browse
NinjaRMMAgentPatcher.exe	0%	Metadefender		Browse

Source	Detection	Scanner	Label
http://www.phreedom.org/md5)08:27	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://www.phreedom.org/md5)	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://resources.ninjarmm.com/AgentInstallers/cabarc_5.2.3790.0.zip	NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/V-zK	NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phreedom.org/md5)08:27	NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://resources.ninjarmm.com/Bitdefender/MAC/G-MK	NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://resources.ninjarmm.com/Bitdefender/MAC/4-	NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/AgentInstallers/cabarc_5.2.3790.0.zip16841d3e9f88e032be1f769da9ab0901	NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	false		high
http://certificates.godaddy.com/repository/0	NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/1	NinjaRMMAgentPatcher.exe, 00000000.00000003.444722835.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.haxx.se/libcurl/c/curl_easy_setopt.html	NinjaRMMAgentPatcher.exe	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/0	NinjaRMMAgentPatcher.exe, 00000000.00000003.443972838.0000000004363000.00000004.00000800.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444192172.0000000004366000.00000004.00000800.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444342528.0000000004366000.00000004.00000800.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/components/gravityzone/(https?	NinjaRMMAgentPatcher.exe	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://bugreports.qt.io/	NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	false		high
https://curl.haxx.se/docs/http-cookies.html	NinjaRMMAgentPatcher.exe	false		high
https://resources.ninjarmm.com/Bitdefender/	NinjaRMMAgentPatcher.exe	false		high
https://resources.ninjarmm.com/Bitdefender/=t	NinjaRMMAgentPatcher.exe, 00000000.00000003.444575056.000000000291A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/#t	NinjaRMMAgentPatcher.exe, 00000000.00000003.444575056.000000000291A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.haxx.se/P	NinjaRMMAgentPatcher.exe	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/q.	NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.godaddy.com/gdig2s5-6.crl0	NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/$	NinjaRMMAgentPatcher.exe, 00000000.00000003.443980428.0000000002998000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444196669.000000000299B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/L	NinjaRMMAgentPatcher.exe, 00000000.00000003.444722835.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.haxx.se/docs/copyright.htmlD	NinjaRMMAgentPatcher.exe	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/D.LJ	NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://certificates.godaddy.com/repository/gdig2.crt0	NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/=	NinjaRMMAgentPatcher.exe, 00000000.00000003.444722835.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/1	NinjaRMMAgentPatcher.exe, 00000000.00000003.444735633.00000000028EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/netty/netty/issues/6520.s	NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/.	NinjaRMMAgentPatcher.exe, 00000000.00000003.445392311.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/-	NinjaRMMAgentPatcher.exe, 00000000.00000003.444303402.0000000002972000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/components/gravityzone/	NinjaRMMAgentPatcher.exe	false		high
http://www.phreedom.org/md5)	NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://resources.ninjarmm.com/Bitdefender/MAC/v	NinjaRMMAgentPatcher.exe, 00000000.00000003.445414438.00000000028D2000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.445404472.00000000028D1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/G	NinjaRMMAgentPatcher.exe, 00000000.00000003.444735633.00000000028EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/f.jJ	NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/y	NinjaRMMAgentPatcher.exe, 00000000.00000003.444722835.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://resources.ninjarmm.com/Bitdefender/MAC/	NinjaRMMAgentPatcher.exe	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/n	NinjaRMMAgentPatcher.exe, 00000000.00000003.444722835.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/Ot	NinjaRMMAgentPatcher.exe, 00000000.00000003.444575056.000000000291A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://certs.godaddy.com/repository/1301	NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/netty/netty/issues/6520.	NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/5._J	NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/W.	NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://resources.ninjarmm.com/Bitdefender/MAC/e	NinjaRMMAgentPatcher.exe, 00000000.00000003.444735633.00000000028EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/rr&	NinjaRMMAgentPatcher.exe, 00000000.00000003.444817089.00000000028D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://certs.godaddy.com/repository/0	NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/%-/K	NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/:..J	NinjaRMMAgentPatcher.exe, 00000000.00000003.444547628.000000000292F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/R	NinjaRMMAgentPatcher.exe, 00000000.00000003.443980428.0000000002998000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444196669.000000000299B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/Q	NinjaRMMAgentPatcher.exe, 00000000.00000003.444735633.00000000028EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/cert	NinjaRMMAgentPatcher.exe	false		high
https://resources.ninjarmm.com/Bitdefender/https://resources.ninjarmm.com/Bitdefender/MAC/Account	NinjaRMMAgentPatcher.exe	false		high
https://resources.ninjarmm.com/components/gravityzone/sample_policy_tmp_2.json	NinjaRMMAgentPatcher.exe	false		high
https://resources.ninjarmm.com/Bitdefender/M	NinjaRMMAgentPatcher.exe, 00000000.00000003.444303402.0000000002972000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/MAC/_	NinjaRMMAgentPatcher.exe, 00000000.00000003.444722835.00000000028F8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.godaddy.com/gdroot-g2.crl0F	NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/i	NinjaRMMAgentPatcher.exe, 00000000.00000003.444303402.0000000002972000.00000004.00000020.00020000.00000000.sdmp	false		high
http://bugreports.qt.io/_q_receiveReplyMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi	NinjaRMMAgentPatcher.exe, 00000000.00000002.455338619.0000000001D56000.00000002.00000001.01000000.00000003.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	NinjaRMMAgentPatcher.exe, 00000000.00000000.437671272.0000000001A7D000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://resources.ninjarmm.com/Bitdefender/c	NinjaRMMAgentPatcher.exe, 00000000.00000003.444735633.00000000028EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.haxx.se/docs/sslcerts.html	NinjaRMMAgentPatcher.exe	false		high
https://resources.ninjarmm.com/Bitdefender/v	NinjaRMMAgentPatcher.exe, 00000000.00000003.444514343.000000000294E000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444359674.0000000002945000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/u	NinjaRMMAgentPatcher.exe, 00000000.00000003.444303402.0000000002972000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/r	NinjaRMMAgentPatcher.exe, 00000000.00000003.445392311.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/rp:J	NinjaRMMAgentPatcher.exe, 00000000.00000003.443980428.0000000002998000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000002.457756140.000000000299C000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444196669.000000000299B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://resources.ninjarmm.com/Bitdefender/n	NinjaRMMAgentPatcher.exe, 00000000.00000003.444514343.000000000294E000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000000.00000003.444359674.0000000002945000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	620091
Start date and time: 04/05/202210:56:17	2022-05-04 10:56:17 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NinjaRMMAgentPatcher.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean2.winEXE@2/1@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target NinjaRMMAgentPatcher.exe, PID 7020 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Process:	C:\Users\user\Desktop\NinjaRMMAgentPatcher.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	1524
Entropy (8bit):	4.693213250398603
Encrypted:	false
SSDEEP:	24:M0r3kVww4evw6qoQw9Dwg5QQwjNQw+FQQwBzowkyfvPw3TwCboQwWAAQwf21KVws:lUuz6qa9Eg5ijn+wBBkn3UCbaTSusuqv
MD5:	C0A11F726116E1FBFF72B246DAF56E3A
SHA1:	FE16B3E15A3CBA4D55DBCEB476402B68EE5C8058
SHA-256:	C87CF5A0607ABD5E8C1B33D46D3080D198556746E53CF8BBA1D4D551526CD468
SHA-512:	D5E461DC7E7D46A5BF61058CF23306DC9F7E14580EF1AED9117144B35FDBDE75397B52AE30CD8C1B2EB41AA7209E67B97920BC872DB24168B8165BAC542B7C9D
Malicious:	false
Reputation:	low
Preview:	10:57:35.842 I :7024 [ WindowsTools.cpp:763] This process is running under WOW64..10:57:35.889 E :7024 [ ServerSettings.cpp:153] No location id was present...10:57:35.889 I :7024 [ ServerSettings.cpp:191] ServerSettings Host : ..10:57:35.889 I :7024 [ ServerSettings.cpp:192] ServerSettings Port : 0..10:57:35.889 I :7024 [ ServerSettings.cpp:193] ServerSettings HostName : ..10:57:35.889 I :7024 [ ServerSettings.cpp:194] ServerSettings ProxyHost : ..10:57:35.889 I :7024 [ ServerSettings.cpp:195] ServerSettings ProxyAuthName : ..10:57:35.889 I :7024 [ ServerSettings.cpp:196] ServerSettings ProxyType : 0..10:57:35.889 I :7024 [ ServerSettings.cpp:197] ServerSettings ProxyTunnel : 0..10:57:35.889 I :7024 [ ServerSettings.cpp:198] ServerSettings ProxyPort : 0..10:57:35.889 I :7024 [ ServerSettings.cpp:199] ServerSettings Clie

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.790710971060236
TrID:	Win32 Executable (generic) a (10002005/4) 99.55% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NinjaRMMAgentPatcher.exe
File size:	25645616
MD5:	f6c1a6015e7c5ce658b9efcdb211d092
SHA1:	8313b005765e64f90ae4f16001f5c798b1cc9410
SHA256:	8292bd816a9c1ddb07c842703a4a346aaf9d250d7b860c9681209fca85c10a9d
SHA512:	c9205cdcb2456040bf8da4e8143f61cefeaf9a7034166dcc002e44a5f71e4cd570f8025151f98c315c1ae43e2a70498d54fca057f2621f53577d4f7652028991
SSDEEP:	393216:QedTmVJu0Ml9rEl6mdP7tR/eSi5IBuJsv6tWKFdu9C99Jsv6tWKFdu9C9doWJsvS:7wZe9rEl6mdjKIBGna+
TLSH:	A047BF92B682C532F5B6417A85A6CB7BC735FC104F2059C7B3DC362D1D326E16A3B60A
File Content Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......}E.A9$..9$..9$..bL...$..bL...$...}..;$....x.5$...z.."$...z...$...z...$..bL...$..9$..,$..bL..=$..bL...$..9$...&...z...'...z...'.

File Icon


Icon Hash:	9225694d4d4d0f92

Static PE Info

General

Entrypoint:	0xb5b545
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x626803BE [Tue Apr 26 14:37:50 2022 UTC]
TLS Callbacks:	0x816760, 0xb5b54f, 0xb5b5c2
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	c16beead61a763751f688f00b2f65d92

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	10/10/2021 5:00:00 PM 10/10/2024 4:59:59 PM
Subject Chain	CN="NinjaRMM, LLC", O="NinjaRMM, LLC", S=California, C=US
Version:	3
Thumbprint MD5:	29638990831964B0A061363457AEC0B8
Thumbprint SHA-1:	10DB25A6F8C640EFFD01242AC15E9A6543A752C6
Thumbprint SHA-256:	7825B3E2161BB0C0BD7915891301FE9499CEA8B759087F28892591E12B1ED75E
Serial:	0082318963F2BE45BF7C49A490BEF568ED

Entrypoint Preview

Instruction
call 00007FC168A4AF46h
jmp 00007FC168A49EECh
push 0000000Ch
push 01BC8998h
call 00007FC168A4ACCAh
cmp dword ptr [ebp+0Ch], 02h
jne 00007FC168A4A091h
and dword ptr [ebp-04h], 00000000h
mov esi, 00D23354h
mov dword ptr [ebp-1Ch], esi
cmp esi, 00D23354h
je 00007FC168A4A076h
mov edi, dword ptr [esi]
test edi, edi
je 00007FC168A4A06Bh
mov ecx, edi
call 00007FC168A4AB81h
call edi
add esi, 04h
jmp 00007FC168A4A043h
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007FC168A4ACD6h
retn 000Ch
mov eax, dword ptr [ebp-14h]
mov eax, dword ptr [eax]
push dword ptr [eax]
call 00007FC168A4A072h
add esp, 04h
ret
mov esp, dword ptr [ebp-18h]
call 00007FC168A787C2h
int3
push ebp
mov ebp, esp
xor eax, eax
cmp dword ptr [ebp+08h], E06D7363h
sete al
pop ebp
ret
push ebp
mov ebp, esp
push ecx
push ecx
cmp dword ptr [ebp+0Ch], 03h
je 00007FC168A4A068h
cmp dword ptr [ebp+0Ch], 00000000h
jne 00007FC168A4A0C9h
mov ecx, dword ptr [01C0D8B0h]
mov eax, dword ptr fs:[0000002Ch]
push ebx
push esi
mov ebx, dword ptr [eax+ecx*4]
mov dword ptr [ebp-08h], ebx
mov esi, dword ptr [ebx+00000070h]
test esi, esi
je 00007FC168A4A0A9h
push edi
mov edi, dword ptr [esi]
sub edi, 01h
js 00007FC168A4A086h
lea ebx, dword ptr [edi+02h]
lea ebx, dword ptr [esi+ebx*4]
mov eax, dword ptr [ebx]
mov dword ptr [ebp-04h], eax
test eax, eax
je 00007FC168A4A06Ch
mov ecx, eax
call 00007FC168A4AAF4h

Rich Headers

Programming Language:

[C++] VS2015 UPD3.1 build 24215
[ C ] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x17d09d0	0x99c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17d136c	0x208	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1812000	0x1b7c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1870a00	0x4830	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1814000	0x72914	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x172d9c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x172da74	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x172da18	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x920000	0x9e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x91e0f2	0x91e200	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x920000	0xeb4a0e	0xeb4c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17d5000	0x3a6fc	0x28000	False	0.207653808594	data	5.41884961152	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x1810000	0xf9	0x200	False	0.044921875	data	0.136463791656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids	0x1811000	0xf00	0x1000	False	0.35400390625	data	3.71800174318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1812000	0x1b7c	0x1c00	False	0.180385044643	data	2.61083420446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1814000	0x72914	0x72a00	False	0.552851519902	data	6.66953864123	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1812174	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x18125dc	0x10a8	data	English	United States
RT_GROUP_ICON	0x1813684	0x22	data	English	United States
RT_VERSION	0x18136a8	0x378	data	English	United States
RT_MANIFEST	0x1813a20	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ACTIVEDS.dll
GPEDIT.DLL	DeleteGPOLink, CreateGPOLink
NETAPI32.dll	DsGetDcNameW, NetShareGetInfo, NetShareEnum, NetWkstaGetInfo, NetShareAdd, NetApiBufferFree
msi.dll
WSOCK32.dll	getpeername, getsockname, getsockopt, htonl, htons, listen, ntohl, closesocket, bind, accept, __WSAFDIsSet, gethostname, ioctlsocket, WSAAsyncSelect, WSACleanup, WSAStartup, connect, WSAGetLastError, WSASetLastError, setsockopt, select, ntohs, inet_ntoa
IPHLPAPI.DLL	GetIfTable, GetAdaptersInfo, GetAdaptersAddresses, ConvertInterfaceIndexToLuid, ConvertInterfaceLuidToIndex, ConvertInterfaceLuidToNameW, ConvertInterfaceNameToLuidW
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
USERENV.dll	GetUserProfileDirectoryW, CreateEnvironmentBlock
WTSAPI32.dll	WTSQuerySessionInformationW, WTSSendMessageW, WTSFreeMemory, WTSQueryUserToken, WTSEnumerateSessionsW
bcrypt.dll	BCryptGenRandom
WLDAP32.dll
WS2_32.dll	WSAConnect, WSAHtonl, WSANtohl, WSANtohs, WSARecvFrom, WSASendTo, inet_pton, WSASocketA, WSAGetOverlappedResult, shutdown, WSAIoctl, WSARecv, WSASend, WSASocketW, getaddrinfo, freeaddrinfo, inet_ntop, recv, send, getnameinfo, socket, recvfrom, sendto, WSAAccept
CRYPT32.dll	CertGetCertificateContextProperty, CryptStringToBinaryA, CertAddCertificateContextToStore, CertGetNameStringA, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFreeCertificateChain, CertFreeCertificateContext, CertDuplicateCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertOpenStore, CertCloseStore, CertCreateCertificateContext
ADVAPI32.dll	CryptHashData, CryptGetHashParam, CryptAcquireContextA, CryptGenRandom, CryptEnumProvidersW, CryptSignHashW, CryptDestroyHash, CryptCreateHash, CryptDecrypt, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptDestroyKey, CryptReleaseContext, CryptAcquireContextW, SystemFunction036, ConvertSecurityDescriptorToStringSecurityDescriptorW, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegSetKeySecurity, RegGetKeySecurity, RegFlushKey, QueryServiceStatus, CreateServiceW, LsaNtStatusToWinError, LsaRemoveAccountRights, LsaAddAccountRights, LsaOpenPolicy, LsaClose, LogonUserW, LookupAccountNameW, IsValidSid, InitializeSid, InitializeAcl, GetSidSubAuthority, GetSidLengthRequired, GetLengthSid, GetAclInformation, GetAce, CopySid, AddAce, RegCopyTreeW, RegDeleteTreeW, RegEnumValueW, RegCreateKeyExW, ConvertSidToStringSidW, RegDeleteValueW, RegDeleteKeyW, FreeSid, AllocateAndInitializeSid, EnumServicesStatusW, LookupPrivilegeNameA, LookupAccountSidW, GetTokenInformation, RegSetValueExW, SetNamedSecurityInfoW, GetNamedSecurityInfoW, GetSecurityInfo, RegEnumKeyExA, RegQueryValueExA, RegOpenKeyExA, RegGetValueA, BuildTrusteeWithSidW, GetEffectiveRightsFromAclW, MapGenericMask, DuplicateToken, AccessCheck, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, RegNotifyChangeKeyValue, SetEntriesInAclW, RevertToSelf, ImpersonateLoggedOnUser, DuplicateTokenEx, StartServiceW, QueryServiceConfig2W, QueryServiceConfigA, OpenServiceA, EnumDependentServicesW, ControlService, ChangeServiceConfigA, QueryServiceStatusEx, QueryServiceConfigW, OpenServiceW, OpenSCManagerW, DeleteService, CloseServiceHandle, OpenProcessToken, CreateProcessAsUserW, StartServiceCtrlDispatcherW, SetServiceStatus, RegisterServiceCtrlHandlerExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegEnumKeyExW, RegCloseKey, ReportEventW, RegisterEventSourceW, DeregisterEventSource
KERNEL32.dll	GetTimeFormatW, GetLocaleInfoW, GetCurrencyFormatW, GetUserPreferredUILanguages, GetVolumePathNameW, GetVolumeNameForVolumeMountPointW, GetWindowsDirectoryA, GetVersionExA, GetCurrentProcessorNumber, TryEnterCriticalSection, GetEnvironmentVariableA, GetDateFormatW, GetUserGeoID, GetGeoInfoW, GetTimeZoneInformation, GetStartupInfoW, RegisterWaitForSingleObject, GetStringTypeW, GetExitCodeThread, EncodePointer, QueueUserWorkItem, GetCPInfo, InitializeSListHead, UnregisterWaitEx, IsDebuggerPresent, OutputDebugStringA, CreateTimerQueue, SignalObjectAndWait, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, FindFirstFileExW, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, UnregisterWait, GetThreadTimes, FreeLibraryAndExitThread, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, RtlUnwind, SystemTimeToTzSpecificLocalTime, SetConsoleCtrlHandler, ExitThread, LockFileEx, UnlockFileEx, ExitProcess, SetStdHandle, GetCommandLineA, GetConsoleCP, IsValidLocale, EnumSystemLocalesW, GetACP, GetOEMCP, CreateMutexA, UnlockFile, HeapCompact, DeleteFileA, FlushViewOfFile, GetDiskFreeSpaceA, GetTempPathA, HeapValidate, GetFullPathNameA, LockFile, GetDiskFreeSpaceW, HeapCreate, GetDriveTypeW, FlushFileBuffers, GetSystemDirectoryW, UnhandledExceptionFilter, GetLastError, CreateEventA, CreateEventW, SetEvent, ResetEvent, Sleep, WaitForSingleObject, CloseHandle, CreateDirectoryW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetFileAttributesW, TerminateProcess, GetExitCodeProcess, CreateThread, TerminateThread, CreateProcessA, GetModuleFileNameW, lstrcmpiW, MoveFileA, GetCommandLineW, ReleaseMutex, CreateMutexW, CreateProcessW, lstrcatW, GetSystemTimeAsFileTime, GetCurrentThreadId, WaitForSingleObjectEx, InitializeSRWLock, ReleaseSRWLockExclusive, ReleaseSRWLockShared, AcquireSRWLockExclusive, AcquireSRWLockShared, GetLocalTime, LocalFree, FormatMessageW, MoveFileExW, CopyFileA, MoveFileExA, RtlCaptureStackBackTrace, CreateFileW, GetDiskFreeSpaceExW, GetFileSize, ReadFile, DecodePointer, SetHandleInformation, RaiseException, CreatePipe, PeekNamedPipe, InitializeCriticalSectionEx, DeleteCriticalSection, GetCurrentProcess, GetCurrentProcessId, OpenProcess, GetComputerNameExW, GetModuleHandleW, GetProcAddress, LocalAlloc, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, HeapAlloc, HeapFree, GetProcessHeap, GetTickCount, GetFileAttributesA, SetFileAttributesA, GetModuleFileNameA, SetLastError, FormatMessageA, WideCharToMultiByte, WaitForMultipleObjects, HeapReAlloc, HeapDestroy, HeapSize, PostQueuedCompletionStatus, EnterCriticalSection, LeaveCriticalSection, QueueUserAPC, TlsAlloc, TlsFree, GetConsoleWindow, VerSetConditionMask, VerifyVersionInfoW, GetVersionExW, GetVersion, FindFirstVolumeW, FindNextVolumeW, FindVolumeClose, GetLogicalDrives, QueryDosDeviceW, GetVolumePathNamesForVolumeNameW, DeviceIoControl, GetProcessTimes, GetSystemTimes, GlobalMemoryStatusEx, GetSystemInfo, QueryFullProcessImageNameW, FileTimeToSystemTime, MultiByteToWideChar, Thread32First, Thread32Next, InitializeCriticalSection, FreeLibrary, LoadLibraryExA, LoadLibraryA, DuplicateHandle, ReleaseSemaphore, TlsGetValue, FindResourceExW, LoadResource, LockResource, SizeofResource, FindResourceW, lstrlenW, GetFileAttributesExW, GetTempFileNameW, GetPrivateProfileStringW, WritePrivateProfileStringW, WritePrivateProfileSectionW, CopyFileW, CreateSemaphoreW, GetVolumeInformationW, SetFileAttributesW, GetFileTime, SetThreadExecutionState, SetEnvironmentVariableW, VirtualAlloc, VirtualProtect, VirtualFree, GetProcessId, WriteFile, LoadLibraryExW, SleepEx, CreateIoCompletionPort, GetQueuedCompletionStatus, InitializeCriticalSectionAndSpinCount, TlsSetValue, GetModuleHandleA, GetSystemTime, SystemTimeToFileTime, InitOnceExecuteOnce, RemoveDirectoryW, QueryPerformanceCounter, QueryPerformanceFrequency, GetTickCount64, VirtualQuery, Module32FirstW, Module32NextW, GetCurrentThread, InitializeConditionVariable, WakeConditionVariable, SleepConditionVariableCS, GetThreadId, RtlCaptureContext, SetUnhandledExceptionFilter, ResumeThread, VirtualQueryEx, LoadLibraryW, SetNamedPipeHandleState, TransactNamedPipe, WaitNamedPipeW, SwitchToFiber, DeleteFiber, CreateFiber, GetModuleHandleExW, GetStdHandle, GetEnvironmentVariableW, GetFileType, ConvertFiberToThread, ConvertThreadToFiber, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, WriteConsoleW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFileInformationByHandle, GetFullPathNameW, SetEndOfFile, SetFilePointerEx, SetFileTime, GetWindowsDirectoryW, AreFileApisANSI, WakeAllConditionVariable, SleepConditionVariableSRW, IsValidCodePage, IsDBCSLeadByteEx, LCMapStringW, GetUserDefaultLCID, OpenEventA, GetLogicalProcessorInformation, GetSystemDirectoryA, VerifyVersionInfoA, ExpandEnvironmentStringsA, CreateFileA, GetFileSizeEx, DisconnectNamedPipe, GlobalFree, ConnectNamedPipe, CreateNamedPipeW, GetOverlappedResult, CompareStringEx, SwitchToThread, SetThreadPriority, GetThreadPriority, GetNativeSystemInfo, OutputDebugStringW, IsProcessorFeaturePresent, GetLongPathNameW, GetTempPathW, SetErrorMode, MoveFileW, TzSpecificLocalTimeToSystemTime, GetFileInformationByHandleEx, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetFilePointer, CompareStringW, ReadFileEx, CancelIoEx, WriteFileEx
USER32.dll	UnhookWindowsHookEx, CallNextHookEx, CharNextExA, SetWindowsHookExW, GetWindowLongW, KillTimer, SetTimer, MsgWaitForMultipleObjectsEx, GetQueueStatus, DestroyWindow, CreateWindowExW, RegisterClassW, DefWindowProcW, PeekMessageW, GetWindowThreadProcessId, EnumWindows, PostMessageW, GetUserObjectInformationW, GetProcessWindowStation, PostThreadMessageW, DispatchMessageW, TranslateMessage, wsprintfW, MessageBoxW, UnregisterClassW, UnregisterDeviceNotification, RegisterDeviceNotificationW, SetWindowLongW
SHELL32.dll	SHGetFolderPathW, SHGetKnownFolderPath
ole32.dll	CoCreateGuid, CLSIDFromString, StringFromGUID2, CoSetProxyBlanket, CoCreateInstance, CoInitializeEx, CoUninitialize, CoTaskMemFree, CoInitialize
OLEAUT32.dll	SysFreeString, VariantInit, VariantClear, SysAllocString, SysStringLen, SafeArrayGetVartype, SafeArrayCopy, SafeArrayUnlock, SafeArrayLock, SafeArrayRedim, SafeArrayCreate, VarBstrCat, SysAllocStringLen, GetErrorInfo, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayDestroy
SHLWAPI.dll	PathRemoveExtensionW, PathFindFileNameW, PathRemoveFileSpecW, SHDeleteValueW, PathFileExistsW, PathFileExistsA, PathStripPathW, PathQuoteSpacesW, StrStrW
WINHTTP.dll	WinHttpQueryHeaders, WinHttpReceiveResponse, WinHttpCrackUrl, WinHttpOpen, WinHttpCloseHandle, WinHttpConnect, WinHttpOpenRequest, WinHttpSendRequest
dbghelp.dll	StackWalk64, SymFunctionTableAccess64, SymGetModuleBase64, SymInitialize, SymGetOptions, SymSetOptions, SymFromAddr
PSAPI.DLL	GetProcessImageFileNameW, GetProcessMemoryInfo, GetModuleFileNameExW, QueryWorkingSet
MPR.dll	WNetGetUniversalNameW
WINMM.dll	timeKillEvent, timeSetEvent

Exports

Name	Ordinal	Address
??4SvcLibWinUtils@@QAEAAV0@$$QAV0@@Z	1	0x482ff0
??4SvcLibWinUtils@@QAEAAV0@ABV0@@Z	2	0x482ff0
?CalcUsagePct@SvcLibWinUtils@@SAMABUSCpu@LiveTaskManagerQt@@AAU23@@Z	3	0x552b30
?FILETIME_to_QDateTime@SvcLibWinUtils@@SA?AVQDateTime@@_K@Z	4	0x552be0
?GetShortcutParams@SvcLibWinUtils@@SA_NAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@3@1@Z	5	0x5531b0
?SendCustomMessage@SvcLibWinUtils@@SA_NABVQString@@V2@_NHAB_N@Z	6	0x553b20
?SendRebootMessage@SvcLibWinUtils@@SA_NABVQString@@V2@_NH@Z	7	0x553ce0
?calc_process_memory@SvcLibWinUtils@@SAKPAXAAK@Z	8	0x554240
?checkIfUsersLoggedIn@SvcLibWinUtils@@SA_NXZ	9	0x554390
?createUserProcess@SvcLibWinUtils@@SA_NKPA_WPAU_STARTUPINFOW@@PAU_PROCESS_INFORMATION@@@Z	10	0x554820
?createUserProcessAndWait@SvcLibWinUtils@@SA_NKPA_WPAU_STARTUPINFOW@@PAU_PROCESS_INFORMATION@@AAKK@Z	11	0x554c00
?getActiveUserSessionToken@SvcLibWinUtils@@SA_NPAPAXAAK@Z	12	0x555ca0
?getAllSid@SvcLibWinUtils@@SA_NAAV?$vector@U_WTS_SESSION_INFOW@@V?$allocator@U_WTS_SESSION_INFOW@@@std@@@std@@@Z	13	0x555f60
?getDomainRole@SvcLibWinUtils@@SAHXZ	14	0x5560b0
?getProcessByName@SvcLibWinUtils@@SAKABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z	15	0x556460
?getUserBySid@SvcLibWinUtils@@SA_NKAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z	16	0x556660
?getWindowsVersion@SvcLibWinUtils@@SAHXZ	17	0x556820
?get_executable_path_by_pid@SvcLibWinUtils@@CAKIAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z	18	0x556890
?get_path_by_device@SvcLibWinUtils@@CA_NAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@0@Z	19	0x556bf0
?listUsersTempFolders@SvcLibWinUtils@@SA?AVQStringList@@XZ	20	0x557200
?queryCpuData@SvcLibWinUtils@@SA_NAAUSCpu@LiveTaskManagerQt@@@Z	21	0x557940
?queryDiskDriveData@SvcLibWinUtils@@SA_NAAV?$QMap@VQString@@USPhysicalDiskDrive@LiveTaskManagerQt@@@@@Z	22	0x5579a0
?queryMemoryData@SvcLibWinUtils@@SA_NAAUSMemory@LiveTaskManagerQt@@@Z	23	0x5587a0
?queryNetworkData@SvcLibWinUtils@@SA_NAAV?$QMap@VQString@@USNetwork@LiveTaskManagerQt@@@@@Z	24	0x558850
?queryNetworkStatsData@SvcLibWinUtils@@SA_NAAV?$QMap@VQString@@USNetwork@LiveTaskManagerQt@@@@@Z	25	0x558f90
?queryRunningProcess@SvcLibWinUtils@@SA_NAAV?$QMap@HUSProcess@LiveTaskManagerQt@@@@@Z	26	0x5593a0
?queryService@SvcLibWinUtils@@SA_NAAV?$QMap@VQString@@USService@LiveTaskManagerQt@@@@@Z	27	0x55a300

Version Infos

Description	Data
LegalCopyright	Copyright (c) 2022
InternalName	NinjaRMMAgentPatcher
FileVersion	5.3.3646.0
CompanyName	NinjaRMM, LLC
Comments	NinjaRMMAgentPatcher v5.3
ProductName	NinjaRMMAgentPatcher
ProductVersion	5.3.3646
FileDescription	NinjaRMMAgentPatcher Application
OriginalFilename	NinjaRMMAgentPatcher
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• NinjaRMMAgentPatcher.exe
• conhost.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• NinjaRMMAgentPatcher.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	10:57:28
Start date:	04/05/2022
Path:	C:\Users\user\Desktop\NinjaRMMAgentPatcher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NinjaRMMAgentPatcher.exe"
Imagebase:	0x920000
File size:	25645616 bytes
MD5 hash:	F6C1A6015E7C5CE658B9EFCDB211D092
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	10:57:34
Start date:	04/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NinjaRMMAgentPatcher.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\NinjaRMMAgent\logs\NinjaRMMPatcher_20220504T10.57.35.0.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: NinjaRMMAgentPatcher.exePID: 7020, Parent PID: 4352

General

File Activities

File Opened

File Created

Windows Analysis Report
NinjaRMMAgentPatcher.exe