File name:

NinjaUI-Setup.exe

Full analysis: https://app.any.run/tasks/702ca493-5280-420f-9f9f-a43d5fdcb7bf
Verdict: Malicious activity
Analysis date: November 22, 2023, 22:39:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

A2F82F8C87ECE927754737FB84D677E9

SHA1:

EF90BBBED75979809F765A4E74EBB92867AD2CF9

SHA256:

5FF90968BCE896F2E2F2EFBCDFD7F90B28042ED6CCBB312C6E5B4FF44536FD08

SSDEEP:

49152:57k6c++EgTq55sjPW3vQ9574g4XAvMCEOH0l3DhbbaHmlwsqcnhGE07sIUsrSzUY:5TCugWoI3w0CvHU31bbaHWwsnz0QIUAE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • NinjaUI-Setup.exe (PID: 3608)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • NinjaUI-Setup.exe (PID: 3608)

    • Reads the Internet Settings

      • NinjaUI-Setup.exe (PID: 3608)

  • INFO

    • Checks supported languages

      • NinjaUI-Setup.exe (PID: 3608)
      • wmpnscfg.exe (PID: 3884)

    • Reads the computer name

      • NinjaUI-Setup.exe (PID: 3608)
      • wmpnscfg.exe (PID: 3884)

    • Reads the machine GUID from the registry

      • NinjaUI-Setup.exe (PID: 3608)
      • wmpnscfg.exe (PID: 3884)

    • Create files in a temporary directory

      • NinjaUI-Setup.exe (PID: 3608)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3884)

    • Reads Environment values

      • NinjaUI-Setup.exe (PID: 3608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2105:03:16 12:58:25+01:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 997376
InitializedDataSize: 55808
UninitializedDataSize: -
EntryPoint: 0xf566e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Setup Installer for NinjaUI Client
CompanyName: ZeroByteZ
FileDescription: NinjaUI Online Setup
FileVersion: 1.0.0.0
InternalName: NinjaUI-OnlineInstaller.exe
LegalCopyright: © NinjaUI 2023
LegalTrademarks: -
OriginalFileName: NinjaUI-OnlineInstaller.exe
ProductName: NinjaUI Installer
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ninjaui-setup.exe wmpnscfg.exe no specs ninjaui-setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3140"C:\Users\admin\AppData\Local\Temp\NinjaUI-Setup.exe" C:\Users\admin\AppData\Local\Temp\NinjaUI-Setup.exeexplorer.exe
User:
admin
Company:
ZeroByteZ
Integrity Level:
MEDIUM
Description:
NinjaUI Online Setup
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\ninjaui-setup.exe
c:\windows\system32\ntdll.dll
3608"C:\Users\admin\AppData\Local\Temp\NinjaUI-Setup.exe" C:\Users\admin\AppData\Local\Temp\NinjaUI-Setup.exe
explorer.exe
User:
admin
Company:
ZeroByteZ
Integrity Level:
HIGH
Description:
NinjaUI Online Setup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\ninjaui-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3884"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
3 629
Read events
3 606
Write events
20
Delete events
3

Modification events

(PID) Process:(3608) NinjaUI-Setup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3884) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{68CA8C34-59B1-4CB7-9A3C-2B20E3342E58}\{7169A35A-981D-47C3-B2F1-6618EF9B077D}
Operation:delete keyName:(default)
Value:
(PID) Process:(3884) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{68CA8C34-59B1-4CB7-9A3C-2B20E3342E58}
Operation:delete keyName:(default)
Value:
(PID) Process:(3884) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{68F34061-137E-47A2-9ED6-1A54DF457615}
Operation:delete keyName:(default)
Value:
(PID) Process:(3608) NinjaUI-Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3608) NinjaUI-Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3608) NinjaUI-Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3608) NinjaUI-Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
8
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3608NinjaUI-Setup.exeC:\NinjaUI\NinjaLLInjector64.exeexecutable
MD5:AA0FBEFD978B88384A9F822858877357
SHA256:F09C016D88F126C2866FFFF522716328F250AF1D9F0708F1EFEEADCD2DB4C5EB
3608NinjaUI-Setup.exeC:\NinjaUI\Newtonsoft.Json.dllexecutable
MD5:081D9558BBB7ADCE142DA153B2D5577A
SHA256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
3608NinjaUI-Setup.exeC:\NinjaUI\NinjaLLInjector32.exeexecutable
MD5:A4395C6BD025D170812F12C0A474E856
SHA256:CD7CEC5AAE1B795E5AD194AF84F213B130EC4F20D45E07CECADAEC3D0EAC8FC7
3608NinjaUI-Setup.exeC:\NinjaUI\NinjaUI.exeexecutable
MD5:260ECE9B3946F449885471B167438254
SHA256:129BD1273DBAB354B529651D5FEEF8F2032B416F58B4B66B4419135E29F3F8CD
3608NinjaUI-Setup.exeC:\Users\admin\AppData\Local\Temp\NinjaUI-Package.zipcompressed
MD5:ADC05775C63636024BD54216D9F16E0D
SHA256:14CD28C6EF38A5991942AD6BF18C670990E069234F74DDFD84B6950B934ABE6E
3608NinjaUI-Setup.exeC:\NinjaUI\NinjaUI_Icon.icoimage
MD5:7A7BA5993152DE8914C6CA218AD267BC
SHA256:867C0562B34C289BE7909E102C949E1D55A9BCEE02E2BAF4673B6B3A91A37F57
3608NinjaUI-Setup.exeC:\Users\admin\Desktop\NinjaUI.lnkbinary
MD5:E9021589555C1A8609FE05DD44F1777D
SHA256:8B3677CD41CA04B58BA88F5B06E94F69B608CAFAFCE3506E6626ED3A323325CA
3608NinjaUI-Setup.exeC:\NinjaUI\NinjaMapInjector32.exeexecutable
MD5:3BAE922CCA305491C447F02D1BB80025
SHA256:51D243AC5F5A0230B3EA042F54BF6C7DB79AA1B3B26D03C4BA01F68DB1053ED7
3608NinjaUI-Setup.exeC:\NinjaUI\Guna.UI2.dllexecutable
MD5:833EA6F218E73110E2158958AF659CDB
SHA256:8869BA7CF8D6A7410255D19A4883014E6B8594278593B46910C77A945C176EC5
3608NinjaUI-Setup.exeC:\NinjaUI\DiscordRPC.dllexecutable
MD5:3956130E36754F184A0443C850F708F8
SHA256:25C39F91F737D80040C72C9E3F95DB0FECE1C9653F501828ADC16CFB1EC59D26
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3608
NinjaUI-Setup.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NinjaUI-Setup.exe