Source: niPie.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: niPie.exe | Static PE information: certificate valid |
Source: | Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp |
Source: | Binary string: Kernel.Appcore.pdb. source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp |
Source: | Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp |
Source: | Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp |
Source: | Binary string: msi.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp |
Source: | Binary string: ntmarta.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.290136004.00000000006E2000.00000004.00000001.sdmp |
Source: | Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp |
Source: | Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp |
Source: | Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp |
Source: | Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp |
Source: | Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.289723117.00000000006EE000.00000004.00000001.sdmp |
Source: | Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp |
Source: | Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp |
Source: | Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp |
Source: | Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp |
Source: | Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: shcore.pdb( source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp |
Source: C:\Users\user\Desktop\niPie.exe | Code function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: WerFault.exe, 0000000B.00000002.302967214.0000000004C80000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: niPie.exe | String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: niPie.exe | String found in binary or memory: http://ocsp.thawte.com0 |
Source: niPie.exe | String found in binary or memory: http://s.symcb.com/universal-root.crl0 |
Source: niPie.exe | String found in binary or memory: http://s.symcd.com06 |
Source: niPie.exe | String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: niPie.exe | String found in binary or memory: http://s2.symcb.com0 |
Source: niPie.exe | String found in binary or memory: http://sf.symcb.com/sf.crl0a |
Source: niPie.exe | String found in binary or memory: http://sf.symcb.com/sf.crt0 |
Source: niPie.exe | String found in binary or memory: http://sf.symcd.com0& |
Source: niPie.exe | String found in binary or memory: http://sv.symcb.com/sv.crl0a |
Source: niPie.exe | String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: niPie.exe | String found in binary or memory: http://sv.symcd.com0& |
Source: niPie.exe | String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0( |
Source: niPie.exe | String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: niPie.exe | String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0 |
Source: niPie.exe | String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: niPie.exe | String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: niPie.exe | String found in binary or memory: http://ts-ocsp.ws.symantec.com0; |
Source: Amcache.hve.11.dr | String found in binary or memory: http://upx.sf.net |
Source: niPie.exe | String found in binary or memory: http://www.symauth.com/cps0( |
Source: niPie.exe | String found in binary or memory: http://www.symauth.com/rpa00 |
Source: niPie.exe | String found in binary or memory: https://d.symcb.com/cps0% |
Source: niPie.exe | String found in binary or memory: https://d.symcb.com/rpa0 |
Source: niPie.exe | String found in binary or memory: https://d.symcb.com/rpa0. |
Source: niPie.exe, 00000000.00000002.276768438.00000000007AA000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: niPie.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: niPie.exe, 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe |
Source: niPie.exe, 00000004.00000000.285248528.000000000040F000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe |
Source: niPie.exe, 0000000C.00000000.287069798.000000000040F000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe |
Source: niPie.exe | Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe |
Source: C:\Users\user\Desktop\niPie.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528 |
Source: C:\Users\user\Desktop\niPie.exe | Code function: 0_2_00402100 |
Source: niPie.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\niPie.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: unknown | Process created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' -install |
Source: unknown | Process created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' /install |
Source: C:\Users\user\Desktop\niPie.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528 |
Source: unknown | Process created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' /load |
Source: C:\Users\user\Desktop\niPie.exe | Mutant created: \Sessions\1\BaseNamedObjects\_MSIExecute |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5808 |
Source: niPie.exe | String found in binary or memory: /install |
Source: niPie.exe | String found in binary or memory: /install |
Source: niPie.exe | String found in binary or memory: ^@INSTALL\Software\National Instruments\Common\Installer\Pending\PackagesSoftware\National Instruments\Common\Installer\Pending\Deletes...%s\%s%s\*.*Value-ValueNameKeySoftware\National Instruments\Common\Installer\Pending\Registry\DeleteSoftware\National Instruments\Common\Installer\Pending\Registry\AddSoftware\National Instruments\Common\Installer\Pending\Registry/sREMOVEALL%s %s/remove"/install/test/qMutex FailedNested Install_MSIExecute/qnmSoftware\National Instruments\Common\Installer\Pending/undo%s ,\FeaturesTrueLaunchedByUpgrade\ProductsSoftware\National Instruments\Common\InstallerNIUPDMGRtrue |
Source: classification engine | Classification label: clean5.winEXE@4/6@0/1 |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: niPie.exe | Static PE information: certificate valid |
Source: | Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp |
Source: | Binary string: Kernel.Appcore.pdb. source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp |
Source: | Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp |
Source: | Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp |
Source: | Binary string: msi.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp |
Source: | Binary string: ntmarta.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.290136004.00000000006E2000.00000004.00000001.sdmp |
Source: | Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp |
Source: | Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp |
Source: | Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp |
Source: | Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp |
Source: | Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.289723117.00000000006EE000.00000004.00000001.sdmp |
Source: | Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp |
Source: | Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp |
Source: | Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp |
Source: | Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp |
Source: | Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp |
Source: | Binary string: shcore.pdb( source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp |
Source: | Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp |
Source: C:\Users\user\Desktop\niPie.exe | Code function: 0_2_00402930 push eax; ret |
Source: C:\Users\user\Desktop\niPie.exe | Code function: 4_2_0019CE94 push esp; retf |
Source: C:\Users\user\Desktop\niPie.exe | Code function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\niPie.exe | Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess |
Source: C:\Users\user\Desktop\niPie.exe | API coverage: 6.3 % |
Source: C:\Users\user\Desktop\niPie.exe | Code function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\Desktop\niPie.exe | API call chain: ExitProcess graph end node |
Source: Amcache.hve.11.dr | Binary or memory string: VMware |
Source: Amcache.hve.11.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.11.dr | Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.11.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.11.dr | Binary or memory string: VMware, Inc. |
Source: WerFault.exe, 0000000B.00000002.302919023.00000000047E1000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAWPs} |
Source: WerFault.exe, 0000000B.00000003.300055039.00000000047FA000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo |
Source: Amcache.hve.11.dr | Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.11.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.11.dr | Binary or memory string: VMware7,1 |
Source: Amcache.hve.11.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.11.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.11.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: WerFault.exe, 0000000B.00000002.302910267.00000000047D1000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW |
Source: Amcache.hve.11.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.11.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.11.dr | Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.11.dr | Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7 |
Source: Amcache.hve.11.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.11.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: C:\Users\user\Desktop\niPie.exe | Process queried: DebugPort |
Source: C:\Users\user\Desktop\niPie.exe | Code function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\niPie.exe | Code function: 0_2_00405644 GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA, |
Source: Amcache.hve.11.dr | Binary or memory string: c:\users\user\desktop\procexp.exe |
Source: Amcache.hve.11.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.11.dr | Binary or memory string: procexp.exe |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.