Windows Analysis Report
Nexthink_Collector_Installer_Silent.exe

Overview

General Information

Sample name: Nexthink_Collector_Installer_Silent.exe
Analysis ID: 1426833
MD5: a734e0ea93d16c673272cd373df1faf5
SHA1: b6454106405dfdb732641e34961a09127621bf5c
SHA256: 603a9e9a531caf7bcea1992bfae68583f12beb7edac4768d4b50e76b16af60cd

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info

Classification

Source: Nexthink_Collector_Installer_Silent.exe Static PE information: certificate valid
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\wixca.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\Nexthink_Collector_Installer_Silent.pdb source: Nexthink_Collector_Installer_Silent.exe
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\scasched.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\scaexec.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msicollectorcustomactions.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msirun_silent.pdb source: Nexthink_Collector_Installer_Silent.exe
Source: Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\Nexthink_Collector_Installer_Silent.pdb/ source: Nexthink_Collector_Installer_Silent.exe
Source: Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msicollectorcustomactions.pdb' source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msirem_silent.pdb source: Nexthink_Collector_Installer_Silent.exe
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://wixtoolset.org
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx;Software
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ffextension.nexthink.com/nexthink-latest-an-fx.xpiCan
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.digicert.com/CPS0
PE file contains executable resources (Code or Archives)
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: Resource name: BIN type: PE32+ executable (GUI) x86-64, for MS Windows
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: Resource name: BIN type: PE32+ executable (GUI) x86-64, for MS Windows
Sample file is different than original file name gathered from version info
Source: Nexthink_Collector_Installer_Silent.exe Binary or memory string: OriginalFilename vs Nexthink_Collector_Installer_Silent.exe
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemsicollectorcustomactions.dllF vs Nexthink_Collector_Installer_Silent.exe
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewixca.dll\ vs Nexthink_Collector_Installer_Silent.exe
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamescasched.dll\ vs Nexthink_Collector_Installer_Silent.exe
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamescaexec.dll\ vs Nexthink_Collector_Installer_Silent.exe
Source: Nexthink_Collector_Installer_Silent.exe Binary or memory string: OriginalFilenamenxtinstaller.exeF vs Nexthink_Collector_Installer_Silent.exe
Source: Nexthink_Collector_Installer_Silent.exe Binary or memory string: OriginalFilenamemsirun.exeF vs Nexthink_Collector_Installer_Silent.exe
Source: Nexthink_Collector_Installer_Silent.exe Binary or memory string: OriginalFilenamemsirem.exeF vs Nexthink_Collector_Installer_Silent.exe
Source: classification engine Classification label: clean1.winEXE@1/0@0/0
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Window detected: Number of UI elements: 35
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: certificate valid
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Nexthink_Collector_Installer_Silent.exe Static file information: File size 70886592 > 1048576
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x4291400
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\wixca.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\Nexthink_Collector_Installer_Silent.pdb source: Nexthink_Collector_Installer_Silent.exe
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\scasched.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\scaexec.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msicollectorcustomactions.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msirun_silent.pdb source: Nexthink_Collector_Installer_Silent.exe
Source: Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\Nexthink_Collector_Installer_Silent.pdb/ source: Nexthink_Collector_Installer_Silent.exe
Source: Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msicollectorcustomactions.pdb' source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msirem_silent.pdb source: Nexthink_Collector_Installer_Silent.exe
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: Nexthink_Collector_Installer_Silent.exe Static PE information: section name: _RDATA
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Code function: 0_2_00007FF7D75874CC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7D75874CC
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1426833 Sample: Nexthink_Collector_Installe... Startdate: 16/04/2024 Architecture: WINDOWS Score: 1 4 Nexthink_Collector_Installer_Silent.exe 2->4         started       
No contacted IP infos