Play interactive tour

Edit tour

Windows Analysis Report niPie.exe

Overview

General Information

Sample Name:	niPie.exe
Analysis ID:	502665
MD5:	601fda01efb1a22e18a19793158b51fe
SHA1:	925f30c4a425c133915ee92dd4c0900f31536c04
SHA256:	5020bbc58ef082a5ac8e42e394c4235e88b9c5bd1ed3cdc126a24a649997ebf3
Infos:
Most interesting Screenshot:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Detected potential crypto function

Found evasive API chain (may stop execution after accessing registry keys)

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample crashes during execution, try analyze it on another analysis machine

Process Tree

System is w10x64

niPie.exe (PID: 4528 cmdline: 'C:\Users\user\Desktop\niPie.exe' -install MD5: 601FDA01EFB1A22E18A19793158B51FE)

niPie.exe (PID: 5808 cmdline: 'C:\Users\user\Desktop\niPie.exe' /install MD5: 601FDA01EFB1A22E18A19793158B51FE)

WerFault.exe (PID: 5344 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

niPie.exe (PID: 5332 cmdline: 'C:\Users\user\Desktop\niPie.exe' /load MD5: 601FDA01EFB1A22E18A19793158B51FE)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: niPie.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: niPie.exe

Static PE information: certificate valid

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb. source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.290136004.00000000006E2000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.289723117.00000000006EE000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb( source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

Source: WerFault.exe, 0000000B.00000002.302967214.0000000004C80000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: niPie.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: niPie.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: niPie.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: niPie.exe	String found in binary or memory: http://s.symcd.com06
Source: niPie.exe	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: niPie.exe	String found in binary or memory: http://s2.symcb.com0
Source: niPie.exe	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: niPie.exe	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: niPie.exe	String found in binary or memory: http://sf.symcd.com0&
Source: niPie.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: niPie.exe	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: niPie.exe	String found in binary or memory: http://sv.symcd.com0&
Source: niPie.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: niPie.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: niPie.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: niPie.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: niPie.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: niPie.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.11.dr	String found in binary or memory: http://upx.sf.net
Source: niPie.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: niPie.exe	String found in binary or memory: http://www.symauth.com/rpa00
Source: niPie.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: niPie.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: niPie.exe	String found in binary or memory: https://d.symcb.com/rpa0.

Source: niPie.exe, 00000000.00000002.276768438.00000000007AA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: niPie.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: niPie.exe, 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exe, 00000004.00000000.285248528.000000000040F000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exe, 0000000C.00000000.287069798.000000000040F000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exe	Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe

Source: C:\Users\user\Desktop\niPie.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00402100

Source: niPie.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\niPie.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' -install
Source: unknown	Process created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' /install
Source: C:\Users\user\Desktop\niPie.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528
Source: unknown	Process created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' /load

Source: C:\Users\user\Desktop\niPie.exe	Mutant created: \Sessions\1\BaseNamedObjects\_MSIExecute
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5808

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1B1.tmp

Jump to behavior

Source: niPie.exe	String found in binary or memory: /install
Source: niPie.exe	String found in binary or memory: /install
Source: niPie.exe	String found in binary or memory: ^@INSTALL\Software\National Instruments\Common\Installer\Pending\PackagesSoftware\National Instruments\Common\Installer\Pending\Deletes...%s\%s%s\.Value-ValueNameKeySoftware\National Instruments\Common\Installer\Pending\Registry\DeleteSoftware\National Instruments\Common\Installer\Pending\Registry\AddSoftware\National Instruments\Common\Installer\Pending\Registry/sREMOVEALL%s %s/remove"/install/test/qMutex FailedNested Install_MSIExecute/qnmSoftware\National Instruments\Common\Installer\Pending/undo%s ,\FeaturesTrueLaunchedByUpgrade\ProductsSoftware\National Instruments\Common\InstallerNIUPDMGRtrue

Source: classification engine

Classification label: clean5.winEXE@4/6@0/1

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: niPie.exe

Static PE information: certificate valid

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb. source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.290136004.00000000006E2000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.289723117.00000000006EE000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb( source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp

Source: C:\Users\user\Desktop\niPie.exe	Code function: 0_2_00402930 push eax; ret
Source: C:\Users\user\Desktop\niPie.exe	Code function: 4_2_0019CE94 push esp; retf

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\niPie.exe

Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\niPie.exe

API coverage: 6.3 %

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

Source: C:\Users\user\Desktop\niPie.exe

API call chain: ExitProcess graph end node

Source: Amcache.hve.11.dr	Binary or memory string: VMware
Source: Amcache.hve.11.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.
Source: WerFault.exe, 0000000B.00000002.302919023.00000000047E1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWPs}
Source: WerFault.exe, 0000000B.00000003.300055039.00000000047FA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.11.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 0000000B.00000002.302910267.00000000047D1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.11.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.11.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.11.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\niPie.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00405644 GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA,

Source: Amcache.hve.11.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection2	Virtualization/Sandbox Evasion1	Input Capture1	Security Software Discovery21	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection2	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
niPie.exe	0%	Metadefender		Browse
niPie.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.11.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	niPie.exe	false		high
http://www.symauth.com/cps0(	niPie.exe	false		high
http://www.symauth.com/rpa00	niPie.exe	false		high
http://ocsp.thawte.com0	niPie.exe	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502665
Start date:	14.10.2021
Start time:	08:40:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 49s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	niPie.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean5.winEXE@4/6@0/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 100% (good quality ratio 97.2%) Quality average: 87.1% Quality standard deviation: 22.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.190.160.67, 20.190.160.129, 20.190.160.8, 20.190.160.4, 20.190.160.134, 20.190.160.132, 20.190.160.73, 20.190.160.75, 20.42.73.29, 20.82.210.154, 52.251.79.25, 20.54.110.249, 93.184.221.240, 8.253.95.121, 8.248.133.254, 67.26.83.254, 8.248.143.254, 8.248.145.254, 40.112.88.60, 20.199.120.182, 2.20.178.24, 2.20.178.33 Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, www.tm.lg.prod.aadmsa.akadns.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, onedsblobprdeus15.eastus.cloudapp.azure.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Execution Graph export aborted for target niPie.exe, PID 5808 because there are no executed function Not all processes where analyzed, report is missing behavior information VT rate limit hit for: /opt/package/joesandbox/database/analysis/502665/sample/niPie.exe

Simulations

Behavior and APIs

Time	Type	Description
08:41:26	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_niPie.exe_e6cde1c574634daa1e46756134802be990d9bced_e1e15161_140105c6\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8703585320712506
Encrypted:	false
SSDEEP:	192:wIBNLyipHkgdbcDhRjgIh/u7sYS274ItU:wcNeiZk0c7jj/u7sYX4ItU
MD5:	C0D7310843F8F4325C1610FDDA4668E4
SHA1:	D4DFA0568167234554D7F1BADF51561DD2D2BA72
SHA-256:	6C26895BCFD43A4A1D61A701F664F5B6264B96335A8A71670F83D33B38405E6A
SHA-512:	D7E4F3F7EE44964FDB97D4B087FAA2401277EAD1529E4873D9F7F4498DEC637A6FC5B1D14C34B54C22532316AC767405110377D0D16BA4FE4CE23CD81868C957
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.6.9.9.6.8.1.5.1.9.2.6.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.6.9.9.6.8.5.4.0.9.9.1.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.b.7.d.d.8.8.-.d.6.b.8.-.4.b.8.b.-.a.e.d.d.-.b.e.c.e.d.d.4.7.e.3.2.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.3.0.0.b.5.b.-.c.b.f.7.-.4.7.c.4.-.b.e.8.5.-.0.9.5.3.4.d.0.5.e.b.0.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.P.i.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.b.0.-.0.0.0.1.-.0.0.1.c.-.d.e.7.b.-.5.6.e.d.1.1.c.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.d.5.0.2.0.4.0.b.e.0.4.5.9.b.0.a.9.a.6.5.f.2.d.2.f.5.0.6.c.5.f.0.0.0.0.f.f.f.f.!.0.0.0.0.9.2.5.f.3.0.c.4.a.4.2.5.c.1.3.3.9.1.5.e.e.9.2.d.d.4.c.0.9.0.0.f.3.1.5.3.6.c.0.4.!.n.i.P.i.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.3././.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1B1.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 14 15:41:22 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	54596
Entropy (8bit):	2.059817025510805
Encrypted:	false
SSDEEP:	192:1+4fNhNi0OC4OV6e6bzyN3SzEkMg96CQIhu2YlXalyCBKb:Bl+CfBX1bIhLyC8
MD5:	B9D0C19927DC3FC2628C9ACBCD0EA583
SHA1:	B056DEEF8A7A09F2BAB02DCD212D78466AE6579F
SHA-256:	D9BCDBA6ACD224A38C1DAF72FDA6590EFE7E013313452D72538E3FF3C0572653
SHA-512:	97F22935AC3882A0E500B0DB213BB7E4D6264D7D87446BE551E3194002EA323C6E62E5B0948AE48313D1A546CC8DDF0CE00C9BB4CCA441CD2EE816B936BDFD01
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........Oha....................................d....0..........T.......8...........T...............D............................................................................................U...........B......d.......GenuineIntelW...........T............Oha.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF656.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8284
Entropy (8bit):	3.6902502451531936
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNif66rY6YFPSUyogmfRSqXh7CprRc89b2vsfINjym:RrlsNiy606YtSUyogmfRSXJ2UfINH
MD5:	C197E246B6EBB950F52D55C6D5B459F4
SHA1:	BBBFDC67A29B9F7967EB16DF1BC7F4B984FDA502
SHA-256:	E9670D33B9E2A1F9B58E786B18C8932CF7541A02DD4F150C8803315151AA37EF
SHA-512:	ADC44F6500E8C3E4BEDD947688DDEA258B139652749F7F9D4B4507BB722F969E329E81DB8EFF4EEFF965FD81C538222A433467870216B1F3AFFDD41D3459115F
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA10.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4544
Entropy (8bit):	4.440570598188364
Encrypted:	false
SSDEEP:	48:cvIwSD8zsvJgtWI9iMWSC8BWM8fm8M4J46qE+L/bFbX+q8qsS7R/nhws60Xi8d:uITfR5lSNUxJ6Fws60Xi8d
MD5:	665AACD7328A47617D15C599E633FA94
SHA1:	1D6A3AE0B676DFB321924FF0E5CA24789ABB7336
SHA-256:	FA858B206ECE5CE3843078D4C1E489E086549140118E61652D1C9BBDA1C6A6AB
SHA-512:	89EE7E52E7157FB87E885A80DD40DD93DBE3BDA0DF9A12EA3125ED5E0D13BF3F8F40CAB187DC553285F4A95E637378C925E54246F5F31DE8DC5433B405E50A94
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1209652" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.275087550666143
Encrypted:	false
SSDEEP:	12288:FipMLJvchtjAw8z7nZ38GMARuhauEhP16N6xcqUEbGt4pVs1E9dZZd:UpMLJvchtjAw8zXN
MD5:	2C419893782E19E68C6EA20E61ADE4FD
SHA1:	684AF6925498E41E88494D73E2D447DB019EEA73
SHA-256:	4CEC7CBC5FF3A479E46BC0004A2DE16AD1CC45B998E527DE792CC85C0C57D7B0
SHA-512:	84A1721FBFD55B3E8147F0126A5E0577D12C8DA31C0356E144F7B48BEA86951BBC58E7EC121591C5DE46156AA4A037C9CC636A324B857E4A292AB718B3C12D87
Malicious:	false
Reputation:	low
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmR.K...................................................................................................................................................................................................................................................................................................................................................O.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	4.183354901830507
Encrypted:	false
SSDEEP:	768:nnUdC0MwqhBrOFftx1xJ4X7fFK7bBqXIeq5QMVyi6a74LXHuzEsFqb+v:VfB2xA/CReOhqC
MD5:	23FFAE33C71AB2637BA27D8CF7225580
SHA1:	1A345D8BBE40B02FB15DFBD9CF3EF167A3D695F1
SHA-256:	DB922318220427C790ED4E8F88672BD213D8AD2FF1D2C67C79A1B3F58F19D68E
SHA-512:	AA414C8B6D0646FB4A58D45108EEC1F1CD08F37275C534987B6B135424D0B249F48E7F54DC51E209B0205DFE3D329C97BEE2136DB3CCC8D57C56BA54D108F79F
Malicious:	false
Reputation:	low
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmR.K...................................................................................................................................................................................................................................................................................................................................................O.HvLE.~......Y.............`....)................ ....... .......0................... ..hbin................p.\..,..........nk,..2N..................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..2N......... ........................... .......Z.......................Root........lf......Root....nk ..2N......................}.............. ...............*...............DeviceCensus.......................vk..................WritePer

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.892836892157124
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	niPie.exe
File size:	73664
MD5:	601fda01efb1a22e18a19793158b51fe
SHA1:	925f30c4a425c133915ee92dd4c0900f31536c04
SHA256:	5020bbc58ef082a5ac8e42e394c4235e88b9c5bd1ed3cdc126a24a649997ebf3
SHA512:	0db9ac45dfa3e4530fa4a945e3cac301e1ee8b26fc2690739741d72e1b7712e205f4bf83463e51c70df141af663ffa54c4e281d93f3bc386487a42eb1778a03c
SSDEEP:	768:gjan8GnhwDHcnrkqAAO8IEwm8iNWTGzvtKsDsoxm3whvI:gjanoDGrkbAO80mhN/ZKsDnmghw
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..)k..zk..zk..z...zh..z...zx..z...zW..z...zc..z2..zl..zk..z,..zm..zo..z...zj..z...zj..zRichk..z................PE..L...j.I>...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x402d93
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x3E49816A [Tue Feb 11 23:04:10 2003 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	8fcbb82d712dc622f705d3815ebb3266

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	4/11/2016 5:00:00 PM 7/12/2019 4:59:59 PM
Subject Chain	CN=National Instruments Corporation, O=National Instruments Corporation, L=Austin, S=Texas, C=US
Version:	3
Thumbprint MD5:	1C8D1A5469552A41DE716974A986D673
Thumbprint SHA-1:	70B8BA3A50BCDBAD1DC2C86C6DEB1D78215EA111
Thumbprint SHA-256:	4750C8643DF6099EA03EB3ADA1157EEFC149A3BAC6DBB31760A4DC0AFC41C007
Serial:	61C3329855F6476CFCB4FCF359E55909

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00409140h
push 004058E4h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00409094h]
xor edx, edx
mov dl, ah
mov dword ptr [0040CBE0h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0040CBDCh], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0040CBD8h], ecx
shr eax, 10h
mov dword ptr [0040CBD4h], eax
xor esi, esi
push esi
call 00007FA6DC9FFF2Fh
pop ecx
test eax, eax
jne 00007FA6DC9FD59Ah
push 0000001Ch
call 00007FA6DC9FD645h
pop ecx
mov dword ptr [ebp-04h], esi
call 00007FA6DC9FFBFAh
call dword ptr [00409090h]
mov dword ptr [0040E108h], eax
call 00007FA6DC9FFAB8h
mov dword ptr [0040CBB4h], eax
call 00007FA6DC9FF861h
call 00007FA6DC9FF7A3h
call 00007FA6DC9FF4C0h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0040908Ch]
call 00007FA6DC9FF734h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007FA6DC9FD598h
movzx eax, word ptr [ebp-2Ch]
jmp 00007FA6DC9FD595h
push 0000000Ah
pop eax
push eax
push dword ptr [ebp-64h]
push esi
push esi
call dword ptr [00409088h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804
[LNK] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x9bc0	0x72	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9548	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0xa20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe000	0x3fc0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7722	0x8000	False	0.566650390625	COM executable for DOS	6.39486324672	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0xc32	0x1000	False	0.376708984375	data	4.52160108025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x410c	0x3000	False	0.0714518229167	data	0.996089583315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xf000	0xa20	0x1000	False	0.26318359375	data	4.15843705735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0xf130	0xa0	data	English	United States
RT_STRING	0xf1d0	0x144	data	German	Germany
RT_STRING	0xf314	0x132	data	English	United States
RT_STRING	0xf448	0x150	data	French	France
RT_STRING	0xf598	0xd8	data	Japanese	Japan
RT_VERSION	0xf670	0x3b0	data	English	United States

Imports

DLL	Import
KERNEL32.dll	ReleaseMutex, WaitForSingleObjectEx, CreateThread, Sleep, lstrlenA, FindFirstFileA, FindNextFileA, FindClose, RemoveDirectoryA, CreateMutexA, ExitProcess, GetCurrentProcess, UnhandledExceptionFilter, FlushFileBuffers, ReadFile, CloseHandle, LoadLibraryA, GetProcAddress, SetStdHandle, HeapReAlloc, VirtualAlloc, GetStringTypeW, GetStringTypeA, SetFilePointer, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, DeleteFileA, GetCPInfo, GetACP, GetOEMCP, WideCharToMultiByte, MultiByteToWideChar, LCMapStringA, LCMapStringW, HeapAlloc, HeapFree, TerminateProcess, GetLastError, GetFileType, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, WriteFile
USER32.dll	SendMessageA, SetDlgItemTextA, MessageBoxA, EndDialog, LoadStringA, DialogBoxParamA
ADVAPI32.dll	RegOpenKeyExA, RegEnumKeyExA, RegEnumValueA, RegCloseKey, RegQueryValueExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyExA, RegDeleteKeyA
Msi.dll

Exports

Name	Ordinal	Address
RFL_RegSetBinary	2	0x401aa0
_RFL_RegGetBinary@20	1	0x401a70

Version Infos

Description	Data
LegalCopyright	Copyright 2002-2017. All Rights Reserved.
InternalName	WinNestInst
FileVersion	17.5.0.170
CompanyName	National Instruments
PrivateBuild
LegalTrademarks
Comments
ProductName	National Instruments UM Satellite
SpecialBuild
ProductVersion	17.5.0
FileDescription	WinNestInst
OriginalFilename	WinNestInst.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
German	Germany
French	France
Japanese	Japan

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: niPie.exe PID: 4528 Parent PID: 3604

General

Start time:	08:41:14
Start date:	14/10/2021
Path:	C:\Users\user\Desktop\niPie.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\niPie.exe' -install
Imagebase:	0x400000
File size:	73664 bytes
MD5 hash:	601FDA01EFB1A22E18A19793158B51FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: niPie.exe PID: 5808 Parent PID: 3604

General

Start time:	08:41:17
Start date:	14/10/2021
Path:	C:\Users\user\Desktop\niPie.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\niPie.exe' /install
Imagebase:	0x400000
File size:	73664 bytes
MD5 hash:	601FDA01EFB1A22E18A19793158B51FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: WerFault.exe PID: 5344 Parent PID: 5808

General

Start time:	08:41:19
Start date:	14/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528
Imagebase:	0xd00000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: niPie.exe PID: 5332 Parent PID: 3604

General

Start time:	08:41:19
Start date:	14/10/2021
Path:	C:\Users\user\Desktop\niPie.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\niPie.exe' /load
Imagebase:	0x400000
File size:	73664 bytes
MD5 hash:	601FDA01EFB1A22E18A19793158B51FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report niPie.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: niPie.exe PID: 4528 Parent PID: 3604

General

Analysis Process: niPie.exe PID: 5808 Parent PID: 3604