Edit tour

Windows Analysis Report
internalinfrastructuremainoffice-7.0.2317-windows-installer.msi

Overview

General Information

Sample name:	internalinfrastructuremainoffice-7.0.2317-windows-installer.msi
Analysis ID:	1636376
MD5:	63f7647a692d583b1ba7cc35d7a777f6
SHA1:	f228f04ba6d8fb620c7f11e3ddb037219be3180b
SHA256:	baddfa45cc247580e5872cbd9533a46b659f20606a4af1c16ebb72adca8e3666
Infos:

Detection

ScreenConnect Tool

Score:	60
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious MsiExec Embedding Parent

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara detected ScreenConnect Tool

Yara signature match

Classification

Process Tree

System is w11x64_office

msiexec.exe (PID: 7844 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\internalinfrastructuremainoffice-7.0.2317-windows-installer.msi" MD5: C0D3BDDE74C1EC82F75681D4D5ED44C8)

msiexec.exe (PID: 7956 cmdline: C:\Windows\system32\msiexec.exe /V MD5: C0D3BDDE74C1EC82F75681D4D5ED44C8)

msiexec.exe (PID: 8128 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D0B3878ACBAFCA74E3FAFC7C1E1B8E17 MD5: FE653E9A818C22D7E744320F65A91C09)

cmd.exe (PID: 7376 cmdline: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

msiexec.exe (PID: 7204 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EBD787ED8A205663B0BA63676D795963 E Global\MSI0000 MD5: FE653E9A818C22D7E744320F65A91C09)

icacls.exe (PID: 7276 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: DF132308B964322137C3AA6CD2705D24)

conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

expand.exe (PID: 7384 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 63860F134FE4705269CE653A673DBD88)

conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe (PID: 7432 cmdline: "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe" --mode unattended MD5: CAE1C6989A809758147183D266DF16D0)

icacls.exe (PID: 8116 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: DF132308B964322137C3AA6CD2705D24)

conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

svchost.exe (PID: 5796 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc MD5: 8EC922C7A58A8701AB481B7BE9644536)

NinjaRMMAgentPatcher.exe (PID: 5920 cmdline: "C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe" MD5: 2D5A63DEBAC7B810D6F49ADD33B157CB)

NinjaRMMAgent.exe (PID: 3752 cmdline: "C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe" /submitsignals MD5: 799044FF983C52FB0E5C7BB4D195C5E8)

conhost.exe (PID: 2416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 6864 cmdline: "C:\Windows\system32\cmd.exe" /c sc.exe failure NinjaRMMAgent reset=86400 actions=restart/60000/restart/60000// MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

sc.exe (PID: 5476 cmdline: sc.exe failure NinjaRMMAgent reset=86400 actions=restart/60000/restart/60000// MD5: 35AFDDBBF42372FF50809E87BBB88F0E)

svchost.exe (PID: 7840 cmdline: C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc MD5: 8EC922C7A58A8701AB481B7BE9644536)

svchost.exe (PID: 2728 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WFDSConMgrSvc MD5: 8EC922C7A58A8701AB481B7BE9644536)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	APT_Trojan_Win_REDFLARE_6	unknown	unknown	0x2376f1e:$s1: RevertToSelf 0x2397004:$s1: RevertToSelf 0x2868946:$s1: RevertToSelf 0x152d098:$s2: Unsuccessful 0x152d150:$s2: Unsuccessful 0x157b294:$s2: Unsuccessful 0x1527bc8:$s3: Successful 0x154e1f4:$s3: Successful 0x154e240:$s3: Successful 0x22cc06c:$s3: Successful 0x23b5f60:$s3: Successful 0x23b5f90:$s3: Successful 0x23b5fc4:$s3: Successful 0x23b6920:$s3: Successful 0x23b6994:$s3: Successful 0x23b69c8:$s3: Successful 0x156dcda:$s4: runCommand 0x14f2a30:$s5: initialize 0x14f2a78:$s5: initialize 0x14f4a82:$s5: initialize 0x14f4ab6:$s5: initialize

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.4124046133.00000000028F6000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000011.00000000.3172328933.00000000028F6000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000020.00000002.4124465385.0000000002519000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000020.00000000.3885840625.0000000002519000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, ProcessId: 7432, TargetFilename: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\wevtutil.exe

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\system32\cmd.exe" /c sc.exe failure NinjaRMMAgent reset=86400 actions=restart/60000/restart/60000//, CommandLine: "C:\Windows\system32\cmd.exe" /c sc.exe failure NinjaRMMAgent reset=86400 actions=restart/60000/restart/60000//, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe" /submitsignals, ParentImage: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe, ParentProcessId: 3752, ParentProcessName: NinjaRMMAgent.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c sc.exe failure NinjaRMMAgent reset=86400 actions=restart/60000/restart/60000//, ProcessId: 6864, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files", CommandLine: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D0B3878ACBAFCA74E3FAFC7C1E1B8E17, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 8128, ParentProcessName: msiexec.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files", ProcessId: 7376, ProcessName: cmd.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc, CommandLine: C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 712, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc, ProcessId: 5796, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_9dbaedbf-0

Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe

File created: C:\Users\user\AppData\Local\Temp\bitrock_installer.log

Jump to behavior

Source: unknown	HTTPS traffic detected: 18.66.102.15:443 -> 192.168.2.24:53975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.13.241.110:443 -> 192.168.2.24:51116 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.13.241.110:443 -> 192.168.2.24:51119 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.13.241.110:443 -> 192.168.2.24:51122 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.13.241.110:443 -> 192.168.2.24:51125 version: TLS 1.2

Source:	Binary string: cabarc.pdbXKU source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BuildAgent\work\5fd0d3984528b628\3rdparty\qtstatic\proxy_process\build_release_x64\release\NinjaRMMProxyProcess64.pdb source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.00000000024E4000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: :%d :%d error %d: D:\BuildAgent\work\aac9931d38d89885\src\ninjarmm-agentlib\persistence\sqlite_storage.cppexpected true pDb_ != NULLexpected true pStatementTextexpected true pStmtexpected true storage.pDb_ != NULLexpected true storage.pDb_ == pStorage_->pDb_D:\BuildAgent\work\aac9931d38d89885\src\ninjarmm-agentlib\persistence\sqlite_binders.cpp%s:%d can't bind rowid value [%llu] to statement param %d%s:%d can't map row param %d value [%d] to table_STATUS_v1::status_tue5o87wpno;q836 iop[lpkskop' o9871sdkjh ;srghj ;lwrg-mwnoetiuh w;oi46thgn ajog oq873r50q23l; [56984239465T-2305 3[5T8 QU -MV964 [YW08456 agfq 725184340Q2N 9ERa;slfhg;sl ;-ASIUWY98476-3WM5VM [] -070I .]0valueIdvalueOptionsentityTypeattributeNameattributeTypeattributeScopescriptPermissionadvancedSettingsattributeDefinitionScopeCHECKBOXDECIMALTEXT_MULTILINEEMAILIP_ADDRESSPHONETEXT_ENCRYPTEDMULTI_SELECTNODE_MULTI_SELECTCLIENT_MULTI_SELECTCLIENT_LOCATION_MULTI_SELECTDROPDOWNNODE_DROPDOWNCLIENT_DROPDOWNCLIENT_LOCATION_DROPDOWNDATEDATE_TIMETIMEATTACHMENTWYSIWYGdocumentIdtemplateIdCDCFAttribute: detected not null docId for not instantiated docCDCFAttribute: Unable to retrieve correct template/document IDResetting m_nRetryTimer to 0 for Interval Schedule typeInterval New Schedule: Weekly New Schedule: Invalid scheduleType. Manually setting to 0 (Daily)Empty scheduleType. Manually setting to 0 (Daily) source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\bio\bio_lib.c source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: expected true storage.pDb_ != NULL source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\BuildAgent\work\aac9931d38d89885\build_root\x86-windows-release-static\app\njcli\ninjarmm-cli.pdb) source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BuildAgent\work\aac9931d38d89885\build_root\x86-windows-release-static\app\win-patcher\NinjaRMMAgentPatcher.pdb source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: cabarc.pdb source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BuildAgent\work\5fd0d3984528b628\3rdparty\qtstatic\proxy_process\build_release_x64\release\NinjaRMMProxyProcess64.pdbM source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.00000000024E4000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: expected true storage.pDb_ == pStorage_->pDb_ source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\BuildAgent\work\ca5c6e3bc22f755f\vcpkg\buildtrees\sentry-native\x86-windows-static-rel\crashpad_build\handler\crashpad_handler.pdb source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BuildAgent\work\aac9931d38d89885\vcpkg\buildtrees\curl\x86-windows-static-rel\src\curl.pdb source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3187984060.00000000091B5000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\BuildAgent\work\aac9931d38d89885\build_root\x86-windows-release-static\app\njcli\ninjarmm-cli.pdb source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File opened: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File opened: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.24:51102 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 18.66.102.15 18.66.102.15

Source: Joe Sandbox View

JA3 fingerprint: 87b9bfc7da97115ed2276737b09f8d74

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: Usage: curl [options...] <url>

Source: global traffic	DNS traffic detected: DNS query: c.pki.goog
Source: global traffic	DNS traffic detected: DNS query: resources.ninjarmm.com
Source: global traffic	DNS traffic detected: DNS query: agent-us2.us2.ninjarmm.com

Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3177743464.000000000384F000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043029023.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043056248.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3177743464.000000000384F000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043029023.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043056248.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3177743464.000000000384F000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043029023.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188960241.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043056248.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3177743464.000000000384F000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043029023.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188960241.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043056248.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3213173105.0000000004C2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3271748473.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3278672981.0000000004C27000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3275709713.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270404347.0000000004BE4000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276639791.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270764701.0000000004BE8000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3271341185.0000000004C07000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276265610.0000000004C06000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188960241.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3911308115.000000000351B000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: NinjaRMMAgentPatcher.exe, NinjaRMMAgentPatcher.exe, 00000011.00000003.3933987105.0000000003511000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3912725487.000000000357B000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3933987105.0000000003511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlg
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3213173105.0000000004C2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3271748473.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3278672981.0000000004C27000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3275709713.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270404347.0000000004BE4000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276639791.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270764701.0000000004BE8000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3271341185.0000000004C07000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276265610.0000000004C06000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3275709713.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276639791.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276265610.0000000004C06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl3
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3912779289.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3275709713.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269744732.0000000004BB3000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3911308115.000000000351B000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276639791.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3914978423.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276265610.0000000004C06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s5-6.crl0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: NinjaRMMAgentPatcher.exe, NinjaRMMAgentPatcher.exe, 00000011.00000003.3911308115.000000000351B000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188960241.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188960241.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3933539018.000000000356A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3933443007.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3933928041.000000000356C000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3912725487.000000000357B000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3933539018.000000000356A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3275875097.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3933443007.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3933928041.000000000356C000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3275875097.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3177743464.000000000384F000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043029023.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043056248.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3177743464.000000000384F000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043029023.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043056248.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3177743464.000000000384F000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043029023.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188960241.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043056248.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3177743464.000000000384F000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043029023.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043056248.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188960241.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188960241.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3095662106.00000000063B5000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3095854747.0000000004FFF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3189384722.0000000004FFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.bitrock.com/feedback.php
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3084429688.0000000004C14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://forum.java.sun.com/thread.jspa?threadID=426291&messageID=1997063
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://https://DefaultHTTPProtoNinjaRMMAgent.exeAgentCurrentExecutableNameD:
Source: NinjaRMMAgentPatcher.exe, NinjaRMMAgentPatcher.exe, 00000011.00000003.3911308115.000000000351B000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270182164.0000000004C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188960241.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3177743464.000000000384F000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043029023.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043056248.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3177743464.000000000384F000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043029023.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188960241.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043056248.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3177743464.000000000384F000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043029023.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043056248.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3177743464.000000000384F000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043029023.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188960241.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043056248.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188960241.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3270764701.0000000004BC4000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3912046127.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3911460186.0000000004C3E000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3933329048.0000000004BC5000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: NinjaRMMAgentPatcher.exe, NinjaRMMAgentPatcher.exe, 00000011.00000003.3912779289.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269335955.000000000356D000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3275875097.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000002.4126790216.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270541808.0000000004C1C000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3933443007.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3275709713.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269744732.0000000004BB3000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270404347.0000000004BE4000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3912448289.0000000004BC8000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3911308115.000000000351B000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269639083.000000000357D000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3914978423.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3211983956.0000000003543000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3271647466.000000000357E000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3211983956.0000000003543000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/$
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3912448289.0000000004BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/N
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3269744732.0000000004BB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/dSC
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/dSw
Source: NinjaRMMAgentPatcher.exe, 00000011.00000002.4126790216.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3933443007.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/e
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3097330477.0000000004A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://support.m
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3095662106.00000000063B5000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3095854747.0000000004FFF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3189384722.0000000004FFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://timestamp.apple.com/ts01
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3911308115.000000000351B000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270182164.0000000004C24000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270182164.0000000004C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3213328685.0000000004BE1000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270764701.0000000004BC4000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3912046127.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3911460186.0000000004C3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270182164.0000000004C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3213328685.0000000004BE1000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270182164.0000000004C24000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270764701.0000000004BC4000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3912046127.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3911460186.0000000004C3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3084429688.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3189659577.000000000A180000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: NinjaRMMAgentPatcher.exe, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276199577.0000000003561000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3933443007.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3275709713.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270404347.0000000004BE4000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276639791.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270764701.0000000004BE8000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276265610.0000000004C06000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3271369009.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3270404347.0000000004BE4000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270764701.0000000004BE8000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3271369009.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/g
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3177743464.000000000384F000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3038497697.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043029023.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3043056248.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3911308115.000000000351B000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3178037192.0000000004B8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/character-sets
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G2
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3933443007.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3275709713.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3912448289.0000000004BC8000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276265610.0000000004C06000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3913354634.0000000004C13000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3914187095.0000000004C14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3912367459.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3910688150.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3913354634.0000000004C13000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3914187095.0000000004C14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bmZ
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3275709713.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270404347.0000000004BE4000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3912448289.0000000004BC8000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276265610.0000000004C06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3275875097.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3275709713.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276265610.0000000004C06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps?
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3912448289.0000000004BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cpsS
Source: NinjaRMMAgentPatcher.exe, NinjaRMMAgentPatcher.exe, 00000011.00000003.3912779289.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276199577.0000000003561000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3914187095.0000000004C04000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3933443007.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3275709713.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270404347.0000000004BE4000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3911308115.000000000351B000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276639791.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270764701.0000000004BE8000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3914978423.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276265610.0000000004C06000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agent-us2.us2.ninjarmm.com/ws/agent/version/WINDOWS/1f38a8cd-e50c-4c7e-9c90-f7985062b13f/0
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3912779289.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3911308115.000000000351B000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3914978423.0000000003542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agent-us2.us2.ninjarmm.com/ws/agent/version/WINDOWS/1f38a8cd-e50c-4c7e-9c90-f7985062b13f/0aa
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3276199577.0000000003561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agent-us2.us2.ninjarmm.com/ws/agent/version/WINDOWS/1f38a8cd-e50c-4c7e-9c90-f7985062b13f/0hq
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3187984060.00000000091B5000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://curl.se/P
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3187984060.00000000091B5000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://downbox.webrootanywhere.com/wsasmeexe/
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://downbox.webrootanywhere.com/wsasmeexe/webrootUsing
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3189659577.000000000A180000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/cert
Source: NinjaRMMAgentPatcher.exe, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276199577.0000000003561000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3933443007.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3912367459.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3910688150.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3276199577.0000000003561000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3933443007.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.comb.)
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3933443007.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.comh
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3189659577.000000000A180000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://powershellexplained.com/2017-05-27-Powershell-module-building-basics/
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3271054806.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3933539018.000000000356A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3933443007.0000000003542000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3278672981.0000000004C27000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3275709713.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270404347.0000000004BE4000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276639791.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270764701.0000000004BE8000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276265610.0000000004C06000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3271369009.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://resources.ninjarmm.com/AgentInstallers/cabarc_20230209.zip
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://resources.ninjarmm.com/AgentInstallers/cabarc_20230209.zip5a4e1ba7ad86dff0e7fa019049d5efb83d
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/MAC/phoneemailSOFTWARE
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/UpdateExeVolatileSOFTWARE
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/https://resources.ninjarmm.com/Bitdefender/MAC/Account
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Bitdefender/https://resources.ninjarmm.com/Bitdefender/MAC/patch.dats
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Crowdstrike/
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Crowdstrike/ws.agent.config.crowdstrike.generic.jsonws.agent.config.c
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/Raid/perccli.exe71F4507F0E91B72D87227B88B51927F8perccli7.1-007.exehtt
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/SentinelOne/
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/SentinelOne/ws.agent.config.sentinelone.generic.jsonws.agent.config.s
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/TeamViewer/TeamViewer_Host_Setup_v14.20181018.exe
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/TeamViewer/TeamViewer_Host_Setup_v15.17.6.exe
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/TeamViewer/TeamViewer_Host_Setup_v15.17.6.exehostSha256
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/TeamViewer/TeamViewer_Setup_v14.1.3399.exe
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/TeamViewer/TeamViewer_Setup_v14.1.3399.exe3db23527a6a8151db442a92b146
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/TeamViewer/TeamViewer_Setup_v15.17.6.exe
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/TeamViewer/TeamViewer_Setup_v15.17.6.exefullSha256
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/components/gravityzone/
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/components/gravityzone/(https?
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://resources.ninjarmm.com/components/gravityzone/sample_policy_tmp_2.json
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resources.ninjarmm.com/components/gravityzone/sample_policy_tmp_2.jsonGravityZone:
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188665033.0000000006EA2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.000000000A2DF000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188960241.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006E09000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188274505.00000000099FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.bitdefender.com/business/support/en/77211-199836-error-codes.html
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3270764701.0000000004BC4000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276265610.0000000004C06000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932998341.0000000003541000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932265648.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3933813057.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269335955.000000000356D000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3275709713.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3213328685.0000000004BE1000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270182164.0000000004C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.googleapis.com/auth/cloud-platform
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.googleapis.com/auth/cloud-platformExternalAccountCredentials
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3213173105.0000000004C2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3271748473.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3278672981.0000000004C27000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3275709713.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3269382946.0000000004BBA000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270404347.0000000004BE4000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276639791.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3270764701.0000000004BE8000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3271341185.0000000004C07000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3276265610.0000000004C06000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: NinjaRMMAgentPatcher.exe, 00000011.00000003.3932666362.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/Wl

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51119
Source: unknown	Network traffic detected: HTTP traffic on port 51116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51122
Source: unknown	Network traffic detected: HTTP traffic on port 51110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51110
Source: unknown	Network traffic detected: HTTP traffic on port 51113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51125
Source: unknown	Network traffic detected: HTTP traffic on port 53975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51125 -> 443

Source: unknown	HTTPS traffic detected: 18.66.102.15:443 -> 192.168.2.24:53975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.13.241.110:443 -> 192.168.2.24:51116 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.13.241.110:443 -> 192.168.2.24:51119 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.13.241.110:443 -> 192.168.2.24:51122 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.13.241.110:443 -> 192.168.2.24:51125 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe, type: DROPPED

Matched rule: APT_Trojan_Win_REDFLARE_6 Author: unknown

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6805d2.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B633BAB2-942E-4C98-BAAF-08AE953C9294}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SystemTemp\~DF73388472A3DA2922.TMP	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SystemTemp\~DFA2ACC3EC30272AC7.TMP	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI12D2.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI12E3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI29C7.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9A74.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6805d4.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6805d4.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B633BAB2-942E-4C98-BAAF-08AE953C9294}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B633BAB2-942E-4C98-BAAF-08AE953C9294}\ProductIcon	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA003.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SystemTemp\~DF8914B13BDE68F24C.TMP	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SystemTemp\~DF1CAA6454A69AAFB8.TMP	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	File created: C:\Windows\SysWOW64\_ws_agent_signal1741784971291-SECURE_AGENT_SETTINGS_READ_FAILURE.json	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI12E3.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Code function: 12_3_03C81DDA	12_3_03C81DDA
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Code function: 12_3_03C7D25B	12_3_03C7D25B
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03551737	17_3_03551737
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_0354F6D3	17_3_0354F6D3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03548BE3	17_3_03548BE3
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_035433AA	17_3_035433AA

Source: uninstbr.000.12.dr	Static PE information: Number of sections : 11 > 10
Source: uninstall-ninja.exe.12.dr	Static PE information: Number of sections : 11 > 10
Source: uninstall.exe.12.dr	Static PE information: Number of sections : 11 > 10
Source: b66eb40ac3fb0e48a038c127c44094e6.tmp.10.dr	Static PE information: Number of sections : 11 > 10

Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe, type: DROPPED

Matched rule: APT_Trojan_Win_REDFLARE_6 date_created = 2020-12-01, rev = FireEye, date_modified = 2020-12-01, md5 = 294b1e229c3b1efce29b162e7b3be0ab, 6902862bd81da402e7ac70856afbe6a2

Source: NinjaRMMAgent.exe.12.dr	Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
Source: NinjaRMMAgentPatcher.exe.12.dr	Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317

Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp

Binary or memory string: com.slnishinomiya.hyogo.jpkustanai.rucom.snpassenger-association.aerocom.sotsushima.nagasaki.jpcom.stuy.comx.seisa-geek.comcom.sv

Source: classification engine

Classification label: mal60.winMSI@31/71@4/4

Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe

File created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317

Jump to behavior

Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Mutant created: \BaseNamedObjects\NinjaRMMSignalSubmitterRunning
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF9D15E5808574A272.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\msiwrapper.ini

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: INSERT INTO DATABASECHANGELOG (ID, AUTHOR, FILENAME, DATEEXECUTED, ORDEREXECUTED, MD5SUM, DESCRIPTION, COMMENTS, EXECTYPE, CONTEXTS, LABELS, LIQUIBASE, DEPLOYMENT_ID) VALUES ('add_cve_cvss_score_tables', 'olexiys', 'c:/agent/changelog.yaml', CURRENT_TIMESTAMP, 8, '8:70f33f77e58a9f7db42e71bf8a07a3e1', 'sql', '', 'EXECUTED', NULL, NULL, '3.6.3', '1965060448');
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: UPDATE DATABASECHANGELOGLOCK SET LOCKED = 1, LOCKEDBY = 'DESKTOP-PROGRAMMER (192.168.1.27)', LOCKGRANTED = '2022-06-24 12:22:22.000' WHERE ID = 1 AND LOCKED = 0;
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: INSERT INTO DATABASECHANGELOG (ID, AUTHOR, FILENAME, DATEEXECUTED, ORDEREXECUTED, MD5SUM, DESCRIPTION, COMMENTS, EXECTYPE, CONTEXTS, LABELS, LIQUIBASE, DEPLOYMENT_ID) VALUES ('add_cachenode_list', 'ninjarmm_3pp_patching', 'c:/agent/changelog.yaml', CURRENT_TIMESTAMP, 8, '8:70f33f77e58a9f7db42e71bf8a07a3e1', 'sql', '', 'EXECUTED', NULL, NULL, '3.6.3', '1965060448');
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: INSERT INTO DATABASECHANGELOG (ID, AUTHOR, FILENAME, DATEEXECUTED, ORDEREXECUTED, MD5SUM, DESCRIPTION, COMMENTS, EXECTYPE, CONTEXTS, LABELS, LIQUIBASE, DEPLOYMENT_ID) VALUES ('add_os_patching_config_table', 'ninjarmm_orbit_patching', 'c:/agent/changelog.yaml', CURRENT_TIMESTAMP, 8, '8:70f33f77e58a9f7db42e71bf8a07a3e1', 'sql', '', 'EXECUTED', NULL, NULL, '3.6.3', '1965060448');
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: INSERT INTO DATABASECHANGELOG (ID, AUTHOR, FILENAME, DATEEXECUTED, ORDEREXECUTED, MD5SUM, DESCRIPTION, COMMENTS, EXECTYPE, CONTEXTS, LABELS, LIQUIBASE, DEPLOYMENT_ID) VALUES ('add_policy_table', 'olexiys', 'c:/agent/changelog.yaml', CURRENT_TIMESTAMP, 8, '8:70f33f77e58a9f7db42e71bf8a07a3e1', 'sql', '', 'EXECUTED', NULL, NULL, '3.6.3', '1965060448');
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: CREATE TABLE DATABASECHANGELOGLOCK (ID INTEGER NOT NULL, LOCKED BOOLEAN NOT NULL, LOCKGRANTED TEXT, LOCKEDBY VARCHAR(255), CONSTRAINT PK_DATABASECHANGELOGLOCK PRIMARY KEY (ID));
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: INSERT INTO DATABASECHANGELOG (ID, AUTHOR, FILENAME, DATEEXECUTED, ORDEREXECUTED, MD5SUM, DESCRIPTION, COMMENTS, EXECTYPE, CONTEXTS, LABELS, LIQUIBASE, DEPLOYMENT_ID) VALUES ('add_patch_log_table', 'olexiys', 'c:/agent/changelog.yaml', CURRENT_TIMESTAMP, 8, '8:70f33f77e58a9f7db42e71bf8a07a3e1', 'sql', '', 'EXECUTED', NULL, NULL, '3.6.3', '1965060448');
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: INSERT INTO DATABASECHANGELOG (ID, AUTHOR, FILENAME, DATEEXECUTED, ORDEREXECUTED, MD5SUM, DESCRIPTION, COMMENTS, EXECTYPE, CONTEXTS, LABELS, LIQUIBASE, DEPLOYMENT_ID) VALUES ('add_settings_table', 'olexiys', 'c:/agent/changelog.yaml', CURRENT_TIMESTAMP, 8, '8:70f33f77e58a9f7db42e71bf8a07a3e1', 'sql', '', 'EXECUTED', NULL, NULL, '3.6.3', '1965060448');
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: INSERT INTO DATABASECHANGELOG (ID, AUTHOR, FILENAME, DATEEXECUTED, ORDEREXECUTED, MD5SUM, DESCRIPTION, COMMENTS, EXECTYPE, CONTEXTS, LABELS, LIQUIBASE, DEPLOYMENT_ID) VALUES ('add_third_party_policy_table', 'ninjarmm_orbit_patching', 'c:/agent/changelog.yaml', CURRENT_TIMESTAMP, 8, '8:70f33f77e58a9f7db42e71bf8a07a3e1', 'sql', '', 'EXECUTED', NULL, NULL, '3.6.3', '1965060448');
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: CREATE TABLE DATABASECHANGELOG (ID VARCHAR(255) NOT NULL, AUTHOR VARCHAR(255) NOT NULL, FILENAME VARCHAR(255) NOT NULL, DATEEXECUTED TEXT NOT NULL, ORDEREXECUTED INTEGER NOT NULL, EXECTYPE VARCHAR(10) NOT NULL, MD5SUM VARCHAR(35), DESCRIPTION VARCHAR(255), COMMENTS VARCHAR(255), TAG VARCHAR(255), LIQUIBASE VARCHAR(20), CONTEXTS VARCHAR(255), LABELS VARCHAR(255), DEPLOYMENT_ID VARCHAR(10));
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: INSERT INTO DATABASECHANGELOG (ID, AUTHOR, FILENAME, DATEEXECUTED, ORDEREXECUTED, MD5SUM, DESCRIPTION, COMMENTS, EXECTYPE, CONTEXTS, LABELS, LIQUIBASE, DEPLOYMENT_ID) VALUES ('add_patch_pending_reboot_table', 'ninjarmm_orbit_patching', 'c:/agent/changelog.yaml', CURRENT_TIMESTAMP, 8, '8:70f33f77e58a9f7db42e71bf8a07a3e1', 'sql', '', 'EXECUTED', NULL, NULL, '3.6.3', '1965060448');
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: INSERT INTO DATABASECHANGELOGLOCK (ID, LOCKED) VALUES (1, 0);
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: INSERT INTO DATABASECHANGELOG (ID, AUTHOR, FILENAME, DATEEXECUTED, ORDEREXECUTED, MD5SUM, DESCRIPTION, COMMENTS, EXECTYPE, CONTEXTS, LABELS, LIQUIBASE, DEPLOYMENT_ID) VALUES ('add_run_parameters', 'olexiys', 'c:/agent/changelog.yaml', CURRENT_TIMESTAMP, 8, '8:70f33f77e58a9f7db42e71bf8a07a3e1', 'sql', '', 'EXECUTED', NULL, NULL, '3.6.3', '1965060448');
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: UPDATE DATABASECHANGELOGLOCK SET LOCKED = 0, LOCKEDBY = NULL, LOCKGRANTED = NULL WHERE ID = 1;)
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: INSERT INTO DATABASECHANGELOG (ID, AUTHOR, FILENAME, DATEEXECUTED, ORDEREXECUTED, MD5SUM, DESCRIPTION, COMMENTS, EXECTYPE, CONTEXTS, LABELS, LIQUIBASE, DEPLOYMENT_ID) VALUES ('initial create', 'ninjarmm_orbit_patching', 'c:/agent/changelog.yaml', CURRENT_TIMESTAMP, 8, '8:70f33f77e58a9f7db42e71bf8a07a3e1', 'sql', '', 'EXECUTED', NULL, NULL, '3.6.3', '1965060448');

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\internalinfrastructuremainoffice-7.0.2317-windows-installer.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D0B3878ACBAFCA74E3FAFC7C1E1B8E17
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EBD787ED8A205663B0BA63676D795963 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe" --mode unattended
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
Source: unknown	Process created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe "C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WFDSConMgrSvc
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Process created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe "C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe" /submitsignals
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c sc.exe failure NinjaRMMAgent reset=86400 actions=restart/60000/restart/60000//
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc.exe failure NinjaRMMAgent reset=86400 actions=restart/60000/restart/60000//
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D0B3878ACBAFCA74E3FAFC7C1E1B8E17	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EBD787ED8A205663B0BA63676D795963 E Global\MSI0000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe" --mode unattended	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Process created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe "C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe" /submitsignals	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c sc.exe failure NinjaRMMAgent reset=86400 actions=restart/60000/restart/60000//	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc.exe failure NinjaRMMAgent reset=86400 actions=restart/60000/restart/60000//	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_1_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: servicingcommon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: servicingcommon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npsm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npsmdesktopprovider.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devicesflowbroker.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wfdsconmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wfdsconmgrsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: deviceassociation.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: Uninstall NinjaRMMAgent.lnk.12.dr

LNK file: ..\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.exe

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\msiwrapper.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: internalinfrastructuremainoffice-7.0.2317-windows-installer.msi

Static file information: File size 53211136 > 1048576

Source:	Binary string: cabarc.pdbXKU source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BuildAgent\work\5fd0d3984528b628\3rdparty\qtstatic\proxy_process\build_release_x64\release\NinjaRMMProxyProcess64.pdb source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.00000000024E4000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: :%d :%d error %d: D:\BuildAgent\work\aac9931d38d89885\src\ninjarmm-agentlib\persistence\sqlite_storage.cppexpected true pDb_ != NULLexpected true pStatementTextexpected true pStmtexpected true storage.pDb_ != NULLexpected true storage.pDb_ == pStorage_->pDb_D:\BuildAgent\work\aac9931d38d89885\src\ninjarmm-agentlib\persistence\sqlite_binders.cpp%s:%d can't bind rowid value [%llu] to statement param %d%s:%d can't map row param %d value [%d] to table_STATUS_v1::status_tue5o87wpno;q836 iop[lpkskop' o9871sdkjh ;srghj ;lwrg-mwnoetiuh w;oi46thgn ajog oq873r50q23l; [56984239465T-2305 3[5T8 QU -MV964 [YW08456 agfq 725184340Q2N 9ERa;slfhg;sl ;-ASIUWY98476-3WM5VM [] -070I .]0valueIdvalueOptionsentityTypeattributeNameattributeTypeattributeScopescriptPermissionadvancedSettingsattributeDefinitionScopeCHECKBOXDECIMALTEXT_MULTILINEEMAILIP_ADDRESSPHONETEXT_ENCRYPTEDMULTI_SELECTNODE_MULTI_SELECTCLIENT_MULTI_SELECTCLIENT_LOCATION_MULTI_SELECTDROPDOWNNODE_DROPDOWNCLIENT_DROPDOWNCLIENT_LOCATION_DROPDOWNDATEDATE_TIMETIMEATTACHMENTWYSIWYGdocumentIdtemplateIdCDCFAttribute: detected not null docId for not instantiated docCDCFAttribute: Unable to retrieve correct template/document IDResetting m_nRetryTimer to 0 for Interval Schedule typeInterval New Schedule: Weekly New Schedule: Invalid scheduleType. Manually setting to 0 (Daily)Empty scheduleType. Manually setting to 0 (Daily) source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\bio\bio_lib.c source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3182487208.00000000092B2000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: expected true storage.pDb_ != NULL source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\BuildAgent\work\aac9931d38d89885\build_root\x86-windows-release-static\app\njcli\ninjarmm-cli.pdb) source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BuildAgent\work\aac9931d38d89885\build_root\x86-windows-release-static\app\win-patcher\NinjaRMMAgentPatcher.pdb source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: cabarc.pdb source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3176719431.0000000003714000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BuildAgent\work\5fd0d3984528b628\3rdparty\qtstatic\proxy_process\build_release_x64\release\NinjaRMMProxyProcess64.pdbM source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.00000000024E4000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: expected true storage.pDb_ == pStorage_->pDb_ source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgentPatcher.exe, 00000011.00000000.3172328933.0000000002B98000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\BuildAgent\work\ca5c6e3bc22f755f\vcpkg\buildtrees\sentry-native\x86-windows-static-rel\crashpad_build\handler\crashpad_handler.pdb source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BuildAgent\work\aac9931d38d89885\vcpkg\buildtrees\curl\x86-windows-static-rel\src\curl.pdb source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3187984060.00000000091B5000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3179813265.0000000009F01000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3180245119.0000000008E2A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\BuildAgent\work\aac9931d38d89885\build_root\x86-windows-release-static\app\njcli\ninjarmm-cli.pdb source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3181552678.0000000006B68000.00000004.00000020.00020000.00000000.sdmp

Source: BR50F9.tmp.12.dr	Static PE information: real checksum: 0x0 should be: 0x12bb9
Source: uninstbr.000.12.dr	Static PE information: real checksum: 0x3263fdd should be: 0x803021

Source: b66eb40ac3fb0e48a038c127c44094e6.tmp.10.dr	Static PE information: section name: .eh_fram
Source: NinjaRMMAgent.exe.12.dr	Static PE information: section name: CPADinfo
Source: NinjaRMMAgent.exe.12.dr	Static PE information: section name: .qtmetad
Source: NinjaRMMAgent.exe.12.dr	Static PE information: section name: .qtmimed
Source: NinjaRMMAgentPatcher.exe.12.dr	Static PE information: section name: CPADinfo
Source: NinjaRMMAgentPatcher.exe.12.dr	Static PE information: section name: .qtmetad
Source: NinjaRMMAgentPatcher.exe.12.dr	Static PE information: section name: .qtmimed
Source: uninstall-ninja.exe.12.dr	Static PE information: section name: .eh_fram
Source: uninstall.exe.12.dr	Static PE information: section name: .eh_fram
Source: BR4C22.tmp.12.dr	Static PE information: section name: .eh_fram
Source: BR4F22.tmp.12.dr	Static PE information: section name: .eh_fram
Source: BR4FAF.tmp.12.dr	Static PE information: section name: .eh_fram
Source: BR5486.tmp.12.dr	Static PE information: section name: .eh_fram
Source: BR54D5.tmp.12.dr	Static PE information: section name: .eh_fram
Source: uninstbr.000.12.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Code function: 12_3_03C7CFC6 pushad ; iretd	12_3_03C7CFA1
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Code function: 12_3_03C7CDDB pushad ; iretd	12_3_03C7CFA1
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Code function: 12_3_05A21DA8 push eax; retf	12_3_05A21DAD
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568059 pushad ; ret	17_3_0356805D
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568059 pushad ; ret	17_3_0356805D
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568059 pushad ; ret	17_3_0356805D
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568059 pushad ; ret	17_3_0356805D
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568059 pushad ; ret	17_3_0356805D
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568059 pushad ; ret	17_3_0356805D
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568059 pushad ; ret	17_3_0356805D
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568059 pushad ; ret	17_3_0356805D
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568059 pushad ; ret	17_3_0356805D
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568398 push eax; ret	17_3_03568399
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568398 push eax; ret	17_3_03568399
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568398 push eax; ret	17_3_03568399
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568398 push eax; ret	17_3_03568399
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568398 push eax; ret	17_3_03568399
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568398 push eax; ret	17_3_03568399
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568398 push eax; ret	17_3_03568399
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568398 push eax; ret	17_3_03568399
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568398 push eax; ret	17_3_03568399
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03565088 push 00000068h; iretd	17_3_0356508A
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03565088 push 00000068h; iretd	17_3_0356508A
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03565088 push 00000068h; iretd	17_3_0356508A
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03565088 push 00000068h; iretd	17_3_0356508A
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03565088 push 00000068h; iretd	17_3_0356508A
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03565088 push 00000068h; iretd	17_3_0356508A
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03565088 push 00000068h; iretd	17_3_0356508A
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03565088 push 00000068h; iretd	17_3_0356508A
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03565088 push 00000068h; iretd	17_3_0356508A
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Code function: 17_3_03568CB0 push edi; retf	17_3_03568CB1

Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Users\user\AppData\Local\Temp\BR50F9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\wevtutil.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Users\user\AppData\Local\Temp\BR5486.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Users\user\AppData\Local\Temp\BR54D5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall-ninja.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Users\user\AppData\Local\Temp\BR4FAF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI12E3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9A74.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Users\user\AppData\Local\Temp\BR4D4C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Users\user\AppData\Local\Temp\BR4F22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Users\user\AppData\Local\Temp\BR5271.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\curl.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA003.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\c02a2e689ece481aa8abadd43d9ba42a$dpx$.tmp\b66eb40ac3fb0e48a038c127c44094e6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Users\user\AppData\Local\Temp\BR4C22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Users\user\AppData\Local\Temp\BR503D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstbr.000	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI29C7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\CabArc.Exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\tcl8B66.tmp (copy)	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA003.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI29C7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI12E3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9A74.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe

File created: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstbr.000

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe

File created: C:\Users\user\AppData\Local\Temp\bitrock_installer.log

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc.exe failure NinjaRMMAgent reset=86400 actions=restart/60000/restart/60000//

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BR4F22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BR4D4C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BR50F9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\wevtutil.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\curl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BR5271.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BR5486.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BR54D5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA003.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall-ninja.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BR4C22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BR503D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstbr.000	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BR4FAF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI12E3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI29C7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\CabArc.Exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Dropped PE file which has not been started: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\tcl8B66.tmp (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9A74.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe TID: 7916

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File opened: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	File opened: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\	Jump to behavior

Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: virtualMachine
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: VMware,
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: Hyper-V is disabled on this computer
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: hD:\BuildAgent\work\aac9931d38d89885\src\ninjarmm-winagent-monitorlib\MonitorStruct.cppcdromcomputerSystemdiskDrivediskPartitiondiskVolumeeventLogsoftwareInventoryloggedOnUsermemorynetworkInterfaceospageFileportStatusprocessorprocessorCorerunningProcesssoundDeviceuserAccountvideoControllerwindowsServicethirdPartyAVSoftwareraid-controllerraid-physical-driveraid-logical-diskCPUIDbatterydrivemanufacturermediaTypeCDROMDriveDataComputerSystemDatabiosDescriptionbiosManufacturerbiosNamebiosReleaseDatebiosSerialNumbersmbiosBIOSVersioncurrentTimeZonedaylightInEffectproductNumberdnsHostNamedomainRolemodelnumberOfProcessorsprimaryOwnerNamepartOfDomainrolesserialNumberassetTagsystemTypetotalPhysicalMemoryvirtualMachinechassisTypetpmIsInstalledtpmIsEnabledtpmSpecVersiontpmManufacturerVersiontpmManufacturerIdtpmPhysicalPresenceVersionInfotpmIsActivatedADObjectGuidADOUPathError on parse ComputerSystem from JSONindexbytesPerSectorinterfaceTypepartitionCountsmartCapableCurrent Status[{}] NextStatus[{}]Disk status was reported as empty, setting to OKNew Status[{}] failureStatusCount[{}]Ignoring attempt to set drive status to: DiskDriveDatapartitionIndexdiskIndexbootPartitionbootableprimaryPartitionstartingOffsetDiskPartitionDataautoMountcapacitycompressedconfigManagerErrordriveLetterdriveTypefileSystemindexingEnabledmaxFileNameLengthpageFilePresentsupportsDiskQuotassupportsFileBasedCompressionvolumeLabelbtlkIsSupportedbtlkConversionStatusbtlkEncryptionMethodbtlkProtectionStatusbtlkLockStatusbtlkIsVolumeInitializedForProtectionbtlkProtectorExternalKeyIdbtlkProtectorExternalKeybtlkProtectorExternalKeyFilebtlkProtectorNumericalPasswordIdbtlkProtectorNumericalPasswordbtlkProtectorNumericalPasswordSha256Error: BitLocker, drive {} protected, but NumericalPassword detected wrong data: {}btlkProtectorExternalKeySha256Error on parse DiskVolume from JSONDiskVolumeDataStatus OkfreeSpacevolumeFullPercentageactiveTimePercentageaverageResponseTimeMilliSecondsreadSpeedKBpswriteSpeedKBpsDiskVolumePerfStatsDataInstalledSoftwareDataLoggedOnUserDataloggedOffTimeloggedInTimeLogged on user: {}Not serializing anything because loggedonuser data was empty.tagdeviceLocatorpartNumberspeedMHzMemoryDatacachedBytescommitLimitBytescommittedByteshardwareReservedBytespagedPoolBytesnonpagedPoolBytesavailableBytesusedBytesutilizationPercentageMemoryPerfStatsDatainterfaceIndexdefaultGatewaydnsServersinterfaceNameipAddressmtumacAddresssubnetMaskadapterNameNetworkInterfaceDatasendBpsreceiveBpsNetworkInterfacePerfStatsDataOperatingSystemDataMicrosoft CorporationbootDevicebuildNumbershortNamemajorVersionminorVersioncodeSetcountryNamelastBootTimelocalelongNameosArchitectureosLanguageregisteredUserservicePackMajorVersionservicePackMinorVersionsystemDevicesystemDirectorysystemDrivewindowsDirectoryreleaseIdproductKeypendingRebootReasonsUnknownFailed to parse OS data.allocatedBaseSizetempPageFilePageFileUsageDataportNoprotocolservicePortStatusDatadeviceIdcurrentClockSpeedextClockFrequencyl1CacheSizel2CacheS
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: VMWARE
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: Hyper-V is enabled on this computer
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3094928050.0000000001736000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmci6K
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3188066394.0000000009C4A000.00000004.00000020.00020000.00000000.sdmp, NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: Hyper-V Virtual Disk (VHD-format) fixed
Source: NinjaRMMAgent.exe, 00000020.00000002.4124465385.00000000017D7000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: pFAILED: CC_CSMI_SAS_GET_DRIVER_INFOFAILED: CC_CSMI_SAS_GET_RAID_INFOFAILED: PCSMI_SAS_RAID_CONFIG_BUFFER Memory AllocFAILED: CC_CSMI_SAS_GET_RAID_CONFIGFAILED: CC_CSMI_SAS_GET_PHY_INFOCSMIALLCSMISASCSMIARYDoIdentifyDeviceCsmiGetSmartAttributeCsmiFillSmartDataGetSmartThresholdCsmiFillSmartThresholdControlSmartStatusCsmiSAMSUNG SVParallelsVMwareQEMUParallel ATAPIO/DMAUDMA/133UDMA/100UDMA/66UDMA/44UDMA/33UDMA/25UDMA/16Serial ATAHITACHI_DKMAXTOR 6HMAXTOR 7H500MAXTOR 6L0MAXTOR 4KSAMSUNG SPSAMSUNG HMSAMSUNG MPCFD_CSSD-S6TM128NMPQCFD_CSSD-S6TM256NMPQVM21VN21PX-128M2PPX-256M2PCorsair Performance ProINTEL SSDSC2CWA3INTEL SSDSC2BWINTEL SSDSC2CTACS-%dATA8-ACSATA/ATAPI-%dATA-%dATA (ATA-1) X3T9.2 781D prior to revision 4ATA-1 published, ANSI X3.221-1994ATA (ATA-1) X3T10 781D revision 4ATA-2 published, ANSI X3.279-1996ATA-2 X3T10 948D prior to revision 2kATA-3 X3T10 2008D revision 1ATA-2 X3T10 948D revision 2kATA-3 X3T10 2008D revision 0ATA-2 X3T10 948D revision 3ATA-3 published, ANSI X3.298-199xATA-3 X3T10 2008D revision 6ATA-3 X3T13 2008D revision 7 and 7aATA/ATAPI-4 X3T13 1153D version 6ATA/ATAPI-4 T13 1153D version 13ATA/ATAPI-4 X3T13 1153D version 7ATA/ATAPI-4 T13 1153D version 18ATA/ATAPI-4 T13 1153D version 15ATA/ATAPI-4 published, ANSI INCITS 317-1998ATA/ATAPI-5 T13 1321D version 3ATA/ATAPI-4 T13 1153D version 14ATA/ATAPI-5 T13 1321D version 1ATA/ATAPI-5 published, ANSI INCITS 340-2000ATA/ATAPI-4 T13 1153D version 17ATA/ATAPI-6 T13 1410D version 0ATA/ATAPI-6 T13 1410D version 3aATA/ATAPI-7 T13 1532D version 1ATA/ATAPI-6 T13 1410D version 2ATA/ATAPI-6 T13 1410D version 1ATA/ATAPI-7 published ANSI INCITS 397-2005.ATA/ATAPI-7 T13 1532D version 0ACS-3 Revision 3bATA/ATAPI-7 T13 1532D version 4aATA/ATAPI-6 published, ANSI INCITS 361-2002ATA8-ACS version 3cATA8-ACS version 6ATA8-ACS version 4ACS-2 Revision 2ATA8-ACS version 3eATA8-ACS version 4cATA8-ACS version 3fATA8-ACS version 3bACS-4 Revision 5ACS-3 Revision 5ACS-2 published, ANSI INCITS 482-2012ACS-4 published, ANSI INCITS 529-2018ATA8-ACS version 2dACS-3 published, ANSI INCITS 522-2014ACS-2 Revision 3ACS-3 Revision 4---- [%04Xh]\|AMD_RC2t7x86.dllGakuto MatsumuraAMD_RC2_InitAMD_RC2_GetStatusAMD_RC2_GetDrivesAMD_RC2_ReloadAMD_RC2_GetIdentifyAMD_RC2_GetSmartDataAMD_RC2_uninitialAMD_RC2_unloadedAMD_RC2_failed_signatureAMD_RC2_driver_not_foundAMD_RC2_cannot_openAMD_RC2_failed_memory_allocAMD_RC2_offset_overflowAMD_RC2_driver_version_oldAMD_RC2_not_adminAMD_RC2_name_failedDoIdentifyDeviceAMD_RC2:begin

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe" --mode unattended	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc.exe failure NinjaRMMAgent reset=86400 actions=restart/60000/restart/60000//	Jump to behavior

Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3189621645.000000000512E000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3097599368.000000000512E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dde execute progman progman [format {[ShowGroup("%s",6)]} $tCByq]
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3189621645.000000000512E000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3097599368.000000000512E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dde execute PROGMAN PROGMAN [format {[CreateGroup("%s")]} $tCByq]
Source: ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3189621645.000000000512E000.00000004.00000020.00020000.00000000.sdmp, ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe, 0000000C.00000003.3097599368.000000000512E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: catch {dde execute PROGMAN PROGMAN [format {[DeleteGroup("%s")]} $tCByq]}

Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\be29e7f1-71ae-4703-50cb-1d52be512f51 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\be29e7f1-71ae-4703-50cb-1d52be512f51 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\CabArc.Exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\CabArc.Exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\CabArc.Exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\curl-ca-bundle.crt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\curl-ca-bundle.crt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\wevtutil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\wevtutil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\wevtutil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\curl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\curl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\curl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall-ninja.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall-ninja.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\Uninstall NinjaRMMAgent.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstbr.000 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.dat.new VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstbr.000 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall-ninja.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall-ninja.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe	Queries volume information: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\uninstall-ninja.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-f5d6d7dc-1563-42ce-af67-6e44ea01c310\files\ac0d9bc9-039a-4817-bc5a-b1b748cad6cb-internalinfrastructuremainoffice-7.0.2317-windows-installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Jump to behavior

Source: C:\Windows\SysWOW64\expand.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Yara match	File source: 00000011.00000002.4124046133.00000000028F6000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.3172328933.00000000028F6000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4124465385.0000000002519000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.3885840625.0000000002519000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgentPatcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\internalinfrastructuremainoffice-7.0.2317\NinjaRMMAgent.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Service Execution	1 Windows Service	1 Windows Service	31 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Services File Permissions Weakness	12 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Services File Permissions Weakness	12 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Services File Permissions Weakness	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
internalinfrastructuremainoffice-7.0.2317-windows-installer.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report internalinfrastructuremainoffice-7.0.2317-windows-installer.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
internalinfrastructuremainoffice-7.0.2317-windows-installer.msi