Edit tour
Windows
Analysis Report
Nexthink_Collector_Installer_Silent.exe
Overview
General Information
| Sample name: | Nexthink_Collector_Installer_Silent.exe |
| Analysis ID: | 1426833 |
| MD5: | a734e0ea93d16c673272cd373df1faf5 |
| SHA1: | b6454106405dfdb732641e34961a09127621bf5c |
| SHA256: | 603a9e9a531caf7bcea1992bfae68583f12beb7edac4768d4b50e76b16af60cd |
 | |
Detection
| Score: | 1 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 60% |
Signatures
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Classification
Analysis Advice
| Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior |
| Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
- System is w10x64
Nexthink_Collector_Installer_Silent.exe (PID: 7316 cmdline: "C:\Users\ user\Deskt op\Nexthin k_Collecto r_Installe r_Silent.e xe" MD5: A734E0EA93D16C673272CD373DF1FAF5)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF7D75874CC | |
| Source: | Key value queried: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 3 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high |
⊘No contacted IP infos
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1426833 |
| Start date and time: | 2024-04-16 17:22:21 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 51s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Nexthink_Collector_Installer_Silent.exe |
| Detection: | CLEAN |
| Classification: | clean1.winEXE@1/0@0/0 |
| EGA Information: | Failed |
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target Nexthink_Collector_Installer_Silent.exe, PID 7316 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.980505318400647 |
| TrID: |
|
| File name: | Nexthink_Collector_Installer_Silent.exe |
| File size: | 70'886'592 bytes |
| MD5: | a734e0ea93d16c673272cd373df1faf5 |
| SHA1: | b6454106405dfdb732641e34961a09127621bf5c |
| SHA256: | 603a9e9a531caf7bcea1992bfae68583f12beb7edac4768d4b50e76b16af60cd |
| SHA512: | 966c5eb64f8d955e7692f1c9deefdc0bfd2544c47460432c342bbd64e333b68ef052d12802f6e39ce6f51df687aa3a59364c12fe16367b312faeb9f915d204b2 |
| SSDEEP: | 1572864:rAACpH7aKRZpaOsJPXtoYyCTbi0PuK4X8uU0L2wpAUfxoISl4mrhwKRkaQaNCNa3:rnCoUFsJhx34X8hAx7xlI4m1pRFQG0f4 |
| TLSH: | 85F733067E6401A9EEB7B139B5AE8900EA753C1513238ACB23F0759B1F73ED05A7631D |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;[.&.:.u.:.u.:.ukQ.tu:.ukQ.tl:.ukQ.t.:.u-O.to:.u-O.tu:.u-O.t.:.ukQ.tn:.u.:.u.:.u.O.tv:.u.O1u~:.u.O.t~:.uRich.:.u........PE..d.. |
 | |
| Icon Hash: | 53f16d4d4d4dcc51 |
| Entrypoint: | 0x140026ca8 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x65F1B49F [Wed Mar 13 14:13:51 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 45bf8736c7180e4761c8e6262738d870 |
| Signature Valid: | true |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 90AFB125D358CFA7B918C56823D11089 |
| Thumbprint SHA-1: | EBDAE0ACE9C8F5D0136152C0FDC1971DB3604412 |
| Thumbprint SHA-256: | C1AB4749A2D23E6B829EA39BE33F04EE1211F525C47991BAB791C7493CCC367B |
| Serial: | 075A2790DAD211DD1320BFDC8F6DC855 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F23807067F0h |
| dec eax |
| add esp, 28h |
| jmp 00007F2380705E4Fh |
| int3 |
| int3 |
| jmp 00007F238070E974h |
| int3 |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| dec ebp |
| mov eax, dword ptr [ecx+38h] |
| dec eax |
| mov ecx, edx |
| dec ecx |
| mov edx, ecx |
| call 00007F2380705FE2h |
| mov eax, 00000001h |
| dec eax |
| add esp, 28h |
| ret |
| int3 |
| int3 |
| int3 |
| inc eax |
| push ebx |
| inc ebp |
| mov ebx, dword ptr [eax] |
| dec eax |
| mov ebx, edx |
| inc ecx |
| and ebx, FFFFFFF8h |
| dec esp |
| mov ecx, ecx |
| inc ecx |
| test byte ptr [eax], 00000004h |
| dec esp |
| mov edx, ecx |
| je 00007F2380705FE5h |
| inc ecx |
| mov eax, dword ptr [eax+08h] |
| dec ebp |
| arpl word ptr [eax+04h], dx |
| neg eax |
| dec esp |
| add edx, ecx |
| dec eax |
| arpl ax, cx |
| dec esp |
| and edx, ecx |
| dec ecx |
| arpl bx, ax |
| dec edx |
| mov edx, dword ptr [eax+edx] |
| dec eax |
| mov eax, dword ptr [ebx+10h] |
| mov ecx, dword ptr [eax+08h] |
| dec eax |
| mov eax, dword ptr [ebx+08h] |
| test byte ptr [ecx+eax+03h], 0000000Fh |
| je 00007F2380705FDDh |
| movzx eax, byte ptr [ecx+eax+03h] |
| and eax, FFFFFFF0h |
| dec esp |
| add ecx, eax |
| dec esp |
| xor ecx, edx |
| dec ecx |
| mov ecx, ecx |
| pop ebx |
| jmp 00007F2380705766h |
| int3 |
| dec eax |
| mov eax, esp |
| dec eax |
| mov dword ptr [eax+08h], ebx |
| dec eax |
| mov dword ptr [eax+10h], ebp |
| dec eax |
| mov dword ptr [eax+18h], esi |
| dec eax |
| mov dword ptr [eax+20h], edi |
| inc ecx |
| push esi |
| dec eax |
| sub esp, 20h |
| dec ecx |
| mov ebx, dword ptr [ecx+38h] |
| dec eax |
| mov esi, edx |
| dec ebp |
| mov esi, eax |
| dec eax |
| mov ebp, ecx |
| dec ecx |
| mov edx, ecx |
| dec eax |
| mov ecx, esi |
| dec ecx |
| mov edi, ecx |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x69638 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x74000 | 0x4291220 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x6f000 | 0x3cfc | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x4300c00 | 0x998c0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x4306000 | 0xb18 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x61b60 | 0x54 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x61d00 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x61bc0 | 0x138 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x50000 | 0x450 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x4e2ec | 0x4e400 | d4d2e093d48cc9e7deb6f16e4c4d4510 | False | 0.5204610123801917 | data | 6.471270119324688 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x50000 | 0x1a4d0 | 0x1a600 | 13963a4af3ffe2fd6b4f26292b15e08c | False | 0.43549133590047395 | data | 5.112600792532151 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x6b000 | 0x350c | 0x1e00 | 115e48b62085ebd2a3b695ba77267d0a | False | 0.15091145833333333 | DOS executable (block device driver) | 3.261064407548195 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x6f000 | 0x3cfc | 0x3e00 | b1da50022a1102b3240ca3a38efb5067 | False | 0.4769405241935484 | data | 5.599998597201377 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| _RDATA | 0x73000 | 0xf4 | 0x200 | 217914a1ea98ecd77c60cbc406c834d6 | False | 0.32421875 | data | 2.4688333672793643 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x74000 | 0x4291220 | 0x4291400 | 96ceb2750e87858affd7267c673bbda5 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x4306000 | 0xb18 | 0xc00 | 7849c6576b547e63ecccbec6dc4e411b | False | 0.4973958333333333 | data | 5.28255770132007 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| AFX_DIALOG_LAYOUT | 0x4303798 | 0x2 | data | English | United States | 5.0 |
| BIN | 0x74938 | 0x2ca00 | PE32+ executable (GUI) x86-64, for MS Windows | English | United States | 0.49060092787114845 |
| BIN | 0xc9538 | 0x422a0ae | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Nexthink Collector Windows Installer, Author: Nexthink S.A., Keywords: Installer, Comments: Nexthink Collector (24.2.3.2) for Windows 10 and above, Windows Server 2016 and above., Template: x64;1033, Revision Number: {ADCBBDBB-0708-4650-A785-2F1A7F4B049E}, Create Time/Date: Wed Mar 13 14:11:32 2024, Last Saved Time/Date: Wed Mar 13 14:11:32 2024, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.0.5722), Security: 4 | English | United States | 0.9637260437011719 |
| BIN | 0xa1338 | 0x28200 | PE32+ executable (GUI) x86-64, for MS Windows | English | United States | 0.4862429419781931 |
| RT_BITMAP | 0x42f9db8 | 0x993a | Device independent bitmap graphic, 210 x 62 x 24, image size 39186, resolution 2834 x 2834 px/m | English | United States | 0.07296181104369551 |
| RT_ICON | 0x42f4670 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | English | United States | 0.29609929078014185 |
| RT_ICON | 0x42f4ad8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | English | United States | 0.19098360655737706 |
| RT_ICON | 0x42f5460 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | English | United States | 0.13860225140712945 |
| RT_ICON | 0x42f6508 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | English | United States | 0.09367219917012448 |
| RT_ICON | 0x42f8ab0 | 0x12b2 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9114082741328876 |
| RT_DIALOG | 0x42f3960 | 0xb06 | data | English | United States | 0.3543586109142452 |
| RT_DIALOG | 0x42f4468 | 0x204 | data | English | United States | 0.5581395348837209 |
| RT_STRING | 0x43037a0 | 0x3e | data | English | United States | 0.6129032258064516 |
| RT_STRING | 0x4303e58 | 0x494 | data | English | United States | 0.3174061433447099 |
| RT_STRING | 0x43042f0 | 0x706 | data | English | United States | 0.27196885428253614 |
| RT_STRING | 0x43049f8 | 0x150 | data | English | United States | 0.43452380952380953 |
| RT_STRING | 0x43037e0 | 0x678 | data | English | United States | 0.3254830917874396 |
| RT_STRING | 0x4304ca0 | 0x49e | data | English | United States | 0.2571912013536379 |
| RT_STRING | 0x4305140 | 0xda | data | English | United States | 0.4908256880733945 |
| RT_STRING | 0x4304b48 | 0x152 | data | English | United States | 0.4881656804733728 |
| RT_GROUP_ICON | 0x42f9d68 | 0x4c | data | English | United States | 0.7763157894736842 |
| RT_VERSION | 0x745b0 | 0x384 | data | English | United States | 0.42444444444444446 |
| RT_MANIFEST | 0x42f35e8 | 0x376 | XML 1.0 document, ASCII text | English | United States | 0.4887133182844244 |
| None | 0x43036f8 | 0x9c | data | English | United States | 0.3333333333333333 |
| DLL | Import |
|---|---|
| COMCTL32.dll | |
| SHLWAPI.dll | PathFileExistsW, PathIsDirectoryW |
| VERSION.dll | GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW |
| KERNEL32.dll | CreateFileW, CloseHandle, SizeofResource, WriteFile, EndUpdateResourceW, Sleep, LockResource, GlobalAlloc, DeleteFileW, GlobalFree, LoadResource, FindResourceW, UpdateResourceW, GlobalLock, FreeLibrary, BeginUpdateResourceW, GlobalUnlock, LoadLibraryExW, GetFileSizeEx, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, ReadConsoleW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, ReadFile, GetLastError, GetProcessHeap, SetStdHandle, HeapSize, WriteConsoleW, SetEndOfFile, FreeEnvironmentStringsW, MultiByteToWideChar, HeapReAlloc, SetFilePointerEx, InitializeCriticalSectionEx, RaiseException, DecodePointer, DeleteCriticalSection, GetStringTypeW, WideCharToMultiByte, CompareStringEx, EnterCriticalSection, LeaveCriticalSection, EncodePointer, LCMapStringEx, GetCPInfo, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, GetProcAddress, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, OutputDebugStringW, RtlUnwindEx, RtlPcToFileHeader, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, HeapFree, HeapAlloc, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, RtlUnwind |
| USER32.dll | LoadImageW, EnableWindow, MessageBoxW, LoadStringW, GetWindowTextLengthW, GetWindowRect, DialogBoxParamW, SetWindowTextW, EndDialog, SetDlgItemTextW, GetDlgItemTextW, LoadIconW, GetDlgItem, SetDlgItemInt, SetWindowPos, GetDlgItemInt, SendMessageW |
| COMDLG32.dll | GetOpenFileNameW |
| ADVAPI32.dll | CryptAcquireContextW, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptGetHashParam, CryptReleaseContext |
| SHELL32.dll | SHBrowseForFolderW, SHGetPathFromIDListW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
| Target ID: | 0 |
| Start time: | 17:23:12 |
| Start date: | 16/04/2024 |
| Path: | C:\Users\user\Desktop\Nexthink_Collector_Installer_Silent.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d7560000 |
| File size: | 70'886'592 bytes |
| MD5 hash: | A734E0EA93D16C673272CD373DF1FAF5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
⊘No disassembly