Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: certificate valid |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: C:\agent\_work\138\s\build\ship\x86\wixca.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\Nexthink_Collector_Installer_Silent.pdb source: Nexthink_Collector_Installer_Silent.exe |
Source: |
Binary string: C:\agent\_work\138\s\build\ship\x86\scasched.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: C:\agent\_work\138\s\build\ship\x86\scaexec.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msicollectorcustomactions.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msirun_silent.pdb source: Nexthink_Collector_Installer_Silent.exe |
Source: |
Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\Nexthink_Collector_Installer_Silent.pdb/ source: Nexthink_Collector_Installer_Silent.exe |
Source: |
Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msicollectorcustomactions.pdb' source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msirem_silent.pdb source: Nexthink_Collector_Installer_Silent.exe |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0 |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0= |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://ocsp.digicert.com0K |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://ocsp.digicert.com0N |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://wixtoolset.org |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: https://clients2.google.com/service/update2/crx;Software |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: https://ffextension.nexthink.com/nexthink-latest-an-fx.xpiCan |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: Resource name: BIN type: PE32+ executable (GUI) x86-64, for MS Windows |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: Resource name: BIN type: PE32+ executable (GUI) x86-64, for MS Windows |
Source: Nexthink_Collector_Installer_Silent.exe |
Binary or memory string: OriginalFilename vs Nexthink_Collector_Installer_Silent.exe |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamemsicollectorcustomactions.dllF vs Nexthink_Collector_Installer_Silent.exe |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamewixca.dll\ vs Nexthink_Collector_Installer_Silent.exe |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamescasched.dll\ vs Nexthink_Collector_Installer_Silent.exe |
Source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamescaexec.dll\ vs Nexthink_Collector_Installer_Silent.exe |
Source: Nexthink_Collector_Installer_Silent.exe |
Binary or memory string: OriginalFilenamenxtinstaller.exeF vs Nexthink_Collector_Installer_Silent.exe |
Source: Nexthink_Collector_Installer_Silent.exe |
Binary or memory string: OriginalFilenamemsirun.exeF vs Nexthink_Collector_Installer_Silent.exe |
Source: Nexthink_Collector_Installer_Silent.exe |
Binary or memory string: OriginalFilenamemsirem.exeF vs Nexthink_Collector_Installer_Silent.exe |
Source: classification engine |
Classification label: clean1.winEXE@1/0@0/0 |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Window detected: Number of UI elements: 35 |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: certificate valid |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: Nexthink_Collector_Installer_Silent.exe |
Static file information: File size 70886592 > 1048576 |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x4291400 |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\agent\_work\138\s\build\ship\x86\wixca.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\Nexthink_Collector_Installer_Silent.pdb source: Nexthink_Collector_Installer_Silent.exe |
Source: |
Binary string: C:\agent\_work\138\s\build\ship\x86\scasched.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: C:\agent\_work\138\s\build\ship\x86\scaexec.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msicollectorcustomactions.pdb source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msirun_silent.pdb source: Nexthink_Collector_Installer_Silent.exe |
Source: |
Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\Nexthink_Collector_Installer_Silent.pdb/ source: Nexthink_Collector_Installer_Silent.exe |
Source: |
Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msicollectorcustomactions.pdb' source: Nexthink_Collector_Installer_Silent.exe, 00000000.00000000.1679916321.00007FF7DB1CF000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: C:\jenkins\workspace\nexthinkinstaller_release_24.2.2\Local\bin\x64\Release\msirem_silent.pdb source: Nexthink_Collector_Installer_Silent.exe |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: Nexthink_Collector_Installer_Silent.exe |
Static PE information: section name: _RDATA |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Code function: 0_2_00007FF7D75874CC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00007FF7D75874CC |
Source: C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |