e9de164b71f028dfd1211ad2a7bf17f698f2592e031d1776fb061321906ac274

Resubmissions

25-07-2024 17:44

240725-wa4psaxhma 8

25-07-2024 17:31

240725-v3s83sxdrf 8

Analysis

max time kernel
150s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
25-07-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nexthink_Collector_autoglassbr-T77.exe
Size

67.4MB
MD5

bbe39c9b18a0cf01dc06e7e6066182d8
SHA1

c1ce5ff1045f340391872f7f14d596df91987ead
SHA256

e9de164b71f028dfd1211ad2a7bf17f698f2592e031d1776fb061321906ac274
SHA512

01aa24e0bd6c2a082b618d3cc20deddf590b43f682bc39e3002b3559de16268921a9fce5d21bec974affa21a57f7d6af80634d038377f1503867247d61ba0437
SSDEEP

1572864:bTvLOok9zgMPQFTb1D5XdRJBdYmfCqZs0i3Ig9CxcCu8t:XTOV7YlhV5Ym6qZsH3J9C7t

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\nxtrdrvwfp.sys	nxtdrvinst.exe
File opened for modification	C:\Windows\system32\DRIVERS\nxtrdrv5.sys	nxtdrvinst.exe
File opened for modification	C:\Windows\system32\DRIVERS\nxtrdrv.sys	nxtdrvinst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF5F9.tmp	nxtdrvinst.exe
File created	C:\Windows\system32\DRIVERS\SETF5F9.tmp	nxtdrvinst.exe
File created	C:\Windows\system32\DRIVERS\SETF619.tmp	nxtdrvinst.exe
File opened for modification	C:\Windows\system32\DRIVERS\nxtrdrvwfp.sys	nxtdrvinst.exe
File opened for modification	C:\Windows\system32\DRIVERS\nxtrdrv.sys	nxtdrvinst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF619.tmp	nxtdrvinst.exe

Executes dropped EXE 2 IoCs

pid	Process
4640	nxtdrvinst.exe
1908	nxtdrvinst.exe

Loads dropped DLL 28 IoCs

pid	Process
3280	MsiExec.exe
4592	MsiExec.exe
3280	MsiExec.exe
3280	MsiExec.exe
3280	MsiExec.exe
4592	MsiExec.exe
4592	MsiExec.exe
4592	MsiExec.exe
4592	MsiExec.exe
4592	MsiExec.exe
3280	MsiExec.exe
2860	MsiExec.exe
3684	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\nxtcfg.exe	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Fusion\qtquickcontrols2fusionstyleplugin.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Fusion\SplitView.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Imagine\ScrollBar.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Universal\SpinBox.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Fusion\SliderGroove.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Fusion\SwitchDelegate.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Material\CursorDelegate.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\ScrollView.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Window.2\windowplugin.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Collector\198E45B2-BB2F-4109-B3BA-27B4B52AC8A8\nxtrdrv5.cat	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\Qt5QuickControls2.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Container.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Imagine\Drawer.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\api-ms-win-crt-process-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Material\SwipeDelegate.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtGraphicalEffects\RadialGradient.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Imagine\Pane.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\PageIndicator.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Universal\MenuItem.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Universal\Pane.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\api-ms-win-core-localization-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtGraphicalEffects\private\GaussianGlow.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Material\RadioDelegate.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\api-ms-win-crt-utility-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Material\HorizontalHeaderView.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Fusion\DelayButton.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Imagine\DelayButton.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Imagine\TabButton.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\Qt5Qml.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Fusion\Switch.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Material\GroupBox.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\RemoteActions\nxtcampaignaction.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\RadioButton.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Universal\ApplicationWindow.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Universal\SplitView.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Collector\B8AFE920-2BE7-4EA2-924A-55D681106F17\nxtrdrvwfp.cat	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\Qt5Gui.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Imagine\TextField.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtGraphicalEffects\private\GaussianMaskedBlur.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Action.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Imagine\qtquickcontrols2imaginestyleplugin.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Material\BoxShadow.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Material\qmldir	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\qtquickcontrols2plugin.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage\nxtray.exe	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\imageformats\qjpeg.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\translations\en.qm	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Material\RangeSlider.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\ToolBar.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Universal\RadioIndicator.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Imagine\StackView.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Material\ItemDelegate.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\StackView.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\SwipeDelegate.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\d3dcompiler_47.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Fusion\DialogButtonBox.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Reporter\Collector-Support-Script.ps1	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtGraphicalEffects\Displace.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Universal\RoundButton.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Collector\difxapi.dll	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Fusion\SwitchIndicator.qml	msiexec.exe
File created	C:\Program Files\Nexthink\Collector\Engage2\QtQuick\Controls.2\Universal\Label.qml	msiexec.exe

Drops file in Windows directory 46 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{C77A0C1A-9392-44EB-8D0E-70668770D8BD}\ProductImage	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF6DB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF70B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDDAE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE0CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE4F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE595.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE596.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE993.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9BB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF7B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dc56.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE9B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF69A.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5AB20E037849BDA2.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF230.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE8A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE905.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF465.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF04363C84AD0539BE.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE294.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE615.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C77A0C1A-9392-44EB-8D0E-70668770D8BD}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE4B9.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{C77A0C1A-9392-44EB-8D0E-70668770D8BD}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\{C77A0C1A-9392-44EB-8D0E-70668770D8BD}\ProductImage	msiexec.exe
File created	C:\Windows\Installer\e57dc56.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF65.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57dc5a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF669.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF6BA.tmp	msiexec.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	nxtdrvinst.exe
File opened for modification	C:\Windows\Installer\MSIFA68.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDDFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE5E6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF1C.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF87979111E6D4D40A.TMP	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	nxtdrvinst.exe
File opened for modification	C:\Windows\Installer\MSIF67A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	nxtdrvinst.exe
File created	C:\Windows\SystemTemp\~DF1E781DD5C61D56EF.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE46A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF435.tmp	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A1C0A77C2939BE44D8E0076678078DDB\f_NxTray2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\SourceList\PackageName = "Nexthink_Collector.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A1C0A77C2939BE44D8E0076678078DDB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A1C0A77C2939BE44D8E0076678078DDB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A1C0A77C2939BE44D8E0076678078DDB\f_driver	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\ProductName = "Nexthink Collector"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\A1C0A77C2939BE44D8E0076678078DDB	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A1C0A77C2939BE44D8E0076678078DDB\f_nxtwrt	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A1C0A77C2939BE44D8E0076678078DDB\f_coordinator	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E24DCB0F9DCBB7E40A48F1680CB207AB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E24DCB0F9DCBB7E40A48F1680CB207AB\A1C0A77C2939BE44D8E0076678078DDB	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A1C0A77C2939BE44D8E0076678078DDB\f_bsm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A1C0A77C2939BE44D8E0076678078DDB\f_removeLeftovers	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\DeploymentFlags = "2"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E24DCB0F9DCBB7E40A48F1680CB207AB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A1C0A77C2939BE44D8E0076678078DDB\f_cfg	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\PackageCode = "D3F8DCA2340B7AF4C917CE531B61FC3D"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\ProductIcon = "C:\\Windows\\Installer\\{C77A0C1A-9392-44EB-8D0E-70668770D8BD}\\ProductImage"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A1C0A77C2939BE44D8E0076678078DDB\f_base	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A1C0A77C2939BE44D8E0076678078DDB\f_nxtreporter	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\Version = "402916346"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C0A77C2939BE44D8E0076678078DDB\SourceList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2620	msiexec.exe
2620	msiexec.exe
4592	MsiExec.exe
4592	MsiExec.exe
4592	MsiExec.exe
4592	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	452	Nexthink_Collector_autoglassbr-T77.exe
Token: SeRestorePrivilege	452	Nexthink_Collector_autoglassbr-T77.exe
Token: SeShutdownPrivilege	1968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1968	msiexec.exe
Token: SeSecurityPrivilege	2620	msiexec.exe
Token: SeCreateTokenPrivilege	1968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1968	msiexec.exe
Token: SeLockMemoryPrivilege	1968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1968	msiexec.exe
Token: SeMachineAccountPrivilege	1968	msiexec.exe
Token: SeTcbPrivilege	1968	msiexec.exe
Token: SeSecurityPrivilege	1968	msiexec.exe
Token: SeTakeOwnershipPrivilege	1968	msiexec.exe
Token: SeLoadDriverPrivilege	1968	msiexec.exe
Token: SeSystemProfilePrivilege	1968	msiexec.exe
Token: SeSystemtimePrivilege	1968	msiexec.exe
Token: SeProfSingleProcessPrivilege	1968	msiexec.exe
Token: SeIncBasePriorityPrivilege	1968	msiexec.exe
Token: SeCreatePagefilePrivilege	1968	msiexec.exe
Token: SeCreatePermanentPrivilege	1968	msiexec.exe
Token: SeBackupPrivilege	1968	msiexec.exe
Token: SeRestorePrivilege	1968	msiexec.exe
Token: SeShutdownPrivilege	1968	msiexec.exe
Token: SeDebugPrivilege	1968	msiexec.exe
Token: SeAuditPrivilege	1968	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1968	msiexec.exe
Token: SeChangeNotifyPrivilege	1968	msiexec.exe
Token: SeRemoteShutdownPrivilege	1968	msiexec.exe
Token: SeUndockPrivilege	1968	msiexec.exe
Token: SeSyncAgentPrivilege	1968	msiexec.exe
Token: SeEnableDelegationPrivilege	1968	msiexec.exe
Token: SeManageVolumePrivilege	1968	msiexec.exe
Token: SeImpersonatePrivilege	1968	msiexec.exe
Token: SeCreateGlobalPrivilege	1968	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeBackupPrivilege	2860	MsiExec.exe
Token: SeSecurityPrivilege	2860	MsiExec.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 1968	452	Nexthink_Collector_autoglassbr-T77.exe	83
PID 452 wrote to memory of 1968	452	Nexthink_Collector_autoglassbr-T77.exe	83
PID 2620 wrote to memory of 3280	2620	msiexec.exe	88
PID 2620 wrote to memory of 3280	2620	msiexec.exe	88
PID 2620 wrote to memory of 4592	2620	msiexec.exe	89
PID 2620 wrote to memory of 4592	2620	msiexec.exe	89
PID 2620 wrote to memory of 4592	2620	msiexec.exe	89
PID 2620 wrote to memory of 2860	2620	msiexec.exe	90
PID 2620 wrote to memory of 2860	2620	msiexec.exe	90
PID 2620 wrote to memory of 3684	2620	msiexec.exe	91
PID 2620 wrote to memory of 3684	2620	msiexec.exe	91
PID 2620 wrote to memory of 3684	2620	msiexec.exe	91
PID 3684 wrote to memory of 3084	3684	MsiExec.exe	92
PID 3684 wrote to memory of 3084	3684	MsiExec.exe	92
PID 3684 wrote to memory of 3084	3684	MsiExec.exe	92
PID 3084 wrote to memory of 704	3084	wevtutil.exe	94
PID 3084 wrote to memory of 704	3084	wevtutil.exe	94
PID 2620 wrote to memory of 4640	2620	msiexec.exe	95
PID 2620 wrote to memory of 4640	2620	msiexec.exe	95
PID 2620 wrote to memory of 1908	2620	msiexec.exe	96
PID 2620 wrote to memory of 1908	2620	msiexec.exe	96
PID 3684 wrote to memory of 4904	3684	MsiExec.exe	97
PID 3684 wrote to memory of 4904	3684	MsiExec.exe	97
PID 3684 wrote to memory of 4904	3684	MsiExec.exe	97
PID 4904 wrote to memory of 4980	4904	wevtutil.exe	99
PID 4904 wrote to memory of 4980	4904	wevtutil.exe	99

C:\Users\Admin\AppData\Local\Temp\Nexthink_Collector_autoglassbr-T77.exe
"C:\Users\Admin\AppData\Local\Temp\Nexthink_Collector_autoglassbr-T77.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\system32\msiexec.exe
  C:\Windows\system32\msiexec.exe -i "C:\Users\Admin\AppData\Local\Temp\Nexthink_Collector.msi" /quiet DRV_IP=nexthink.servops.help DRV_PORT=999 CRD_PORT=443 CRD_KEY="-----BEGIN CUSTOMER KEY-----Co0ZQfHbHnbibGTtL034NE3fOwzEBEHsJO8NhXqODIQbJsUNAeOD40/n0H80ybOCqO6ObPLPWRa/Zpw59Ki9EM6DHdBmoLO2h4Q1u03oPfXWy2LJm7vfWiF7kxYkUCby00PCOuN28Gr6JSVHDWM84y6erMlZjCN7B7aRKwe3Htr64BTdVgRHUClslzbP1Br+csbHzFLrR1qh2IWoj6ODiYSXZtqcrSvFGcL86ZYW5wnKrtUvmRyJO/QO44OyZgw2/nIQmh87Xzj+WyGUcQidTrdyfVCOBouCFG8FxtUR/NODDW2iSM3bRij825oFeOi862UMeWuY/H8HAUbcE0Kwlk8dOZjqFN4TELmtFTKV0R363pZldpLkfZQqWadtCT28J3ZUEYozJJvs0bAeZoI7YGDSxdZkqlP41KyfQbbd/t1TUu7ehRN5cuQpkEurzKsLnnHhAhs0++/hmjGXdy90y4FiqQd1InlaSwml99VQAnPB5HbcGHHM+Qv9kIMsBE6tZ/e03BktNmQ321sMLF6A7UL2ylpnllRyk+T1v+lDbFA6ISxTTmO4hT4TkmpxElizCCIOb7hi4UtG1wovGnZ/VZesqObAYGtNdP245Q8QmRcyp4bqCWg1Tz8/f1m1/q5NqlczubeeByucvxGrz6rDAVFJ61qxIKnwXyhKFCf4YdFPlIsHM5Iyz1FDeiDtPSE+hwyYOCxCKYtqc5+RawFju5XuwsiA9JfROBLxJU8SZNYe/A9KPjjVqat0OhZ1ndELi5PTC4hr3MB9zeXM30mj/UayR4TqHC2VkWirBgV9EZEQ5ZyYUHlYzUY+mSaHPCPN7mtS2Id/bRjnGR/tljB+phUaP2WTlzLa1cwAXQgjKveOfM8W/D0u41ZN0Ox+TpKTadH5/Gkr1j731psA+sb3iELGnj4DzSJZGvJFmEHYLKqpJaYSUH1RSFPsSE2yP9b1BXQzCUFVYlxIqPSJgCAzKUXZPJZWjd6qeSb3LMbNIWpCVHODqtbf8n7Ue/70ric6h2PQ3vCuiGrUf5Y5TbejjwsXErXt8qdrxiJputCQ9Fj0xDbkcr5ORj3kf4qbIxmnOixcJx4EkuQm+573i5NPf1eFZMpDshCAl5ALMrMk2e1QNhRuOqZSYKHxVyyEpqzbKxClbsK271lG+oz5HmXmb5v63dWgMDZBIY1tpTQZgF8pJs7s3L1FIrfRG9U3AUTS+yKom1Le3HNrSRifY5j/jL7NeJqKvrxBj9cWxthbmdN9QW7PH0pCipRaKvfyKYOx9vxLgLoIwUnf1xC4MqmLr+r6fglEwJPYGr3PDeZTvtxPCVwJER1S8fViqScLNNf1LlX+cxaSEjBPGz02bvsSvQVvxhaMGAeBe7CphuWAfBPVeobrDNIcXO1ZkltVpBhaE95woPZ4IXEoyvgNSnQhIO6nC/t5J1dmgenB1o3ZMKG3oEGuGGIfQS0XhHeLb5d6F6N1kMrM90u1uCFCklHjSfIk9wqHF0u0LporugnDNCBmqbEwdah8KmCdbPLvUDzhdDPr+0o3r3nR2zPanmf7BBCsNIVUsK+0ThunPWvjHuAWCdthQIvaEWYN7AR05wiEkzwJ5+24mzvTQng/JZYfPJ/6heCFd/HrhN3v+MT3fFc0hT4hPdpcEBzUT0Jqbn4JaRvp7pLbnBa4yQ59wYrU9Q8TFkztclwJRqxLsBrJuYPko4h2fkyMNhWas9YkiMszm+F/iFPckZmI3UmipgMmi6aYASTkjlr5KA7QTZabgDF9ALnQ3EpqZCezBs62LFlcxFoRqOjbohHpcl5/Dd6wit5pW7qzxR7beCWpL1ECixZcDL5F52BW0NK0T+CS/2pxaMUrG4pK9gNvnzLAob3W/smVQ7D1mYDITc+o384SUDbYfFJixkhlNeiX9YlVzIceYcrPVmNPHrAfxpDt2eAksVx2EyK+eVemEE0wZRm3hHqCUwXlou+WwbUmr44G0z9jSVOFBzTdrtwq3kJDlca9FxmN/bt8k30yuSzAv/8AIkhTqE8fhf37r9s98nEDr4gcPIXYuRhV69GBq5GAq7PI/lsXHeAVGY/wVoFhWjDqdm1vTiaIoxH8JKLqpGiebGb5hITamZ1pifPr600bf8SIRBKuzLa/Jtp8EH/krutKqG/Ogghr65Jf1n2s8lJwepaDKWM56IkTZJmSSEh+k/DtYXL2zV2ILDQF2CZXSaDtzMlQBbLZGBZwq1+7KfKrFlMdDCAflEyumSXU8G513jo+Lj/wCFcHewJmNitY4UKr/k7MeOMYJ3w9+22rcEvlr3kkn4F8pvx+DDKqZBPsEBE63Iod9LGaMqwH3R1Sw8zL52tNYxJJ4h58jIOPeJOhsm8r0GPcapWIcXOlw6Bxjh3d24HvJWMNoe+QMGcj0RmS/On22FOLYcT+BgE0eBZSVfHTRBY2Ubcl4uiMBbmlmLaPjo7iGe+nGPYu+G5EnsM2cQdMp1gEzDrsWECl/thbjWbqb3/ZFpfPReQ9iYIAv/TkDJtgEGia/MDaob6y/UsYGLuYwNEvkBYTzaCWzl+K1WslxHuN0HdOqhkMXRZYdf0TDb3kPU37UBub5un6cL5mlvThI8RZcW5yfsuI1kGF6U5CzYsCyNyrY8KUXjNSxMlGpUIK/l55cNxE+LKFfZvUwGhfUDE7+5T+j/Ix4bb6KFzmMlpEq8sg8MPSdUFtSQHWqVEH5Ex54tuOE7xEDeSg9Bf7OMLGWbKJKyjKmXHLbxocdv9oEeFDn/UA5HXkhPb7fy++RYhwz7OYmUwKZbskgTHv6kMFLeL6Lcb8EkvzDcoiyxCqPN9d1Hiq3t1lA1+XJknaK3a8JaSDIrbOFcOYN4+o4cuHPp8A6H7dToE85aeFv9P8e/ig/hpWzC8ZZWaoDUdzlYYTlW6RcrwSr6G5NGCMMNyFHNqfJqfPQAw16Bl9XK77b0NxALYuEmXPy5kwWMoM3ZrmfMGNPgGZgemz/kVhAbSlcrRboITAcJJZoOojrMe+kkN/II+AueFpbA6vzotjc4EYziLejpJw5zJaC94hyXBlupD0yEoEMbYS4IQhRPeiXE3EOlNWqzuIBUZmJw/X9VdngB+xhFBoljF2esSigdWHTA8N9RMffsiEY+ON-----END CUSTOMER KEY-----" DRV_TAG=77 DRV_STRING_TAG="autoglassbr" INSTALL_BROWSER_EXTENSION=disable CFG_INSTALL=1 DRV_PREFERIPV6=0 DRV_WEB_AND_CLOUD_DATA=1 ARPSYSTEMCOMPONENT=0 PRINTING=disable USE_ASSIGNMENT=disable DATA_OVER_TCP=enable RA_EXECUTION_POLICY=signed_trusted_or_nexthink ENGAGE=enable_except_on_server_os REBOOT=ReallySuppress /l*v C:\Users\Admin\AppData\Local\Temp\Install_Nexthink_Collector.log
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1968

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 28AC624415DAD686B1AE777DBE32FB67
  2⤵
  - Loads dropped DLL
  PID:3280
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 84FE2A1B1AA0BCBBE9786846C41D86C1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4592
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 4BFCEC191772C24598A4FE7B258264EC E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C76DD9D24F444E387EA8D418EF08D4D7 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\Nexthink\Collector\Collector\nxtwpm-etw-manifest.xml"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\Nexthink\Collector\Collector\nxtwpm-etw-manifest.xml" /fromwow64
      4⤵
      PID:704
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" um "C:\Program Files\Nexthink\Collector\Collector\nxtwpm-etw-manifest.xml"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" um "C:\Program Files\Nexthink\Collector\Collector\nxtwpm-etw-manifest.xml" /fromwow64
      4⤵
      PID:4980
- C:\Program Files\Nexthink\Collector\Collector\nxtdrvinst.exe
  "C:\Program Files\Nexthink\Collector\Collector\nxtdrvinst.exe" /install
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4640
- C:\Program Files\Nexthink\Collector\Collector\nxtdrvinst.exe
  "C:\Program Files\Nexthink\Collector\Collector\nxtdrvinst.exe" /rollback
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Nexthink\COLLEC~1\COLLEC~1\07E51C~1\nxtrdrv.sys

Filesize
244KB

MD5
f056770523284dbbaf84db7d1e4c0687

SHA1
bc6904e6e76baf8d4e4317ae0e872c682324cd20

SHA256
4722445b3bdcc7b8979ceca77000c8c9c4e6da09a01ec95f2de5fb5f06c26238

SHA512
88b39511a57624dca5dd90b0a4c388dec56f8cefcbed8589f3f064e424a1aa64924f6e1c80eb1ddbea911e34cd5b9e5e7872ef0f178e88bc174d593a19d822a3

Download Submit
C:\PROGRA~1\Nexthink\COLLEC~1\COLLEC~1\B8AFE9~1\nxtrdrvwfp.sys

Filesize
38KB

MD5
058ffbdbcd8d20fc650c00ee730482b6

SHA1
8b5c71f69757dde6a0468e5cb3e42e3991f84a13

SHA256
d270461d46a123efb6a2567f59ea090c570c7addea2966c0f10ff86c3486d59d

SHA512
9ed13e988d37d65b24afb75605cbbd25175c6d0cb8632bf6ba828406181b502d6010b29cfb95ad6c5551682b2a04a8f6282c1563f108014673e7eb24f6d7c4e9

Download Submit
C:\Program Files\Nexthink\Collector\Collector\07E51C5A-890B-45D2-90EE-204F0C2250EC\nxtrdrv.inf

Filesize
1KB

MD5
43e4aaa18d181bab9e255fcd2c0f3940

SHA1
f23ec9190446b9ef2ed4e01ab592853ffa331a41

SHA256
5bb64af8af214a967c47494a0fcdb80da43756747090e8f1bc2690ed76bea2d7

SHA512
d4dfc994a13b1d72520c40960adf7e0979102819b878c283ccf736bd665b472c89611712ea7867058dd10f5830e83b16c5f79a2b28d19885563b7ee0b13829b4

Download Submit
C:\Program Files\Nexthink\Collector\Collector\198E45B2-BB2F-4109-B3BA-27B4B52AC8A8\nxtrdrv5.inf

Filesize
1KB

MD5
3b6c155997f66023bfdbcf1d325a029e

SHA1
2ecfb331c276300428579fdd0d7dc5fdb90d781d

SHA256
6edf9ed3af0af8bdc31d0083c2777c8ef0e88f929975fc20da346bcd7952cf2f

SHA512
cd418ef6665c18f70a0bcd16445f37a51a705ca266c717318049df9ba4acf872e18c091ed2b52627ac81d728834126045a99337810a0b27d19f8f0ef72017f98

Download Submit
C:\Program Files\Nexthink\Collector\Collector\B8AFE920-2BE7-4EA2-924A-55D681106F17\nxtrdrvwfp.inf

Filesize
1KB

MD5
af82fd0999ff58bb2747a0cf2a2daabf

SHA1
687fa2991d301b8cf6c6ea541714cd8618734bf2

SHA256
1ebf2b79a984e846e63f4cef33830eee72341da309e7edbf5b66771a05d97130

SHA512
187d228dc123ef5dd126fe465b42d621418c07a196ae0726172803a8a3298538e7d931df1c07f0024013a0d149c1f22bbf5827a4e501ca46f9426178944a91be

Download Submit
C:\Program Files\Nexthink\Collector\Collector\nxtdrvinst.exe

Filesize
677KB

MD5
5e62bbb0f9db6732156d55b391ee535d

SHA1
bbe1c1e5c2a870a2e6ede5bfc223ce3254001dcc

SHA256
427f50e5aaacd0855df387aa658b302e3070b0ccf44860f755090041ef4cca8d

SHA512
93a171c154013b4b4e75d309027e919d90708a72aa98cfb781b8a7fa37951703a5fc3bde83df65db68fb9a2cf3e0986671c1d9ac754d2793cf68559fdbe84afc

Download Submit
C:\Program Files\Nexthink\Collector\Collector\nxtwpm-etw-manifest.xml

Filesize
1KB

MD5
fa98c36665e181fa903e4864560b3487

SHA1
ffabfd93ee01fbe441a717083781d71b546be064

SHA256
f4938ac009a5d4cee635ae7b4df91ed89cdc4f7a5c229b79c90d15fa85e46b0b

SHA512
b2a5d245e9065c5bd147edbdbea2f8cf9ea8d9e529535818c9d89460e42033b90ef1306d738a7ba0b60e97b2b5e66954bb610cc6456b33ab031166b2f9c5bb95

Download Submit
C:\Program Files\Nexthink\Collector\Collector\nxtwpm.dll

Filesize
161KB

MD5
c50f623a0c1456f5746493b63977b328

SHA1
237ca2c130c185bf2bd655f4a832afe883e49ca7

SHA256
54e9b71175610c75fa821e49e6a6fbdc6a07fc98382ee7def8f59bc3679c3137

SHA512
5a98972f2891c6805e8520a0bf2e5f0948e795cbe7c8bbd57beb3927a537d4ce79f09626396b0f1ca5fb5ab45f34534ede15a8500973952d8123d09d10e351ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install_Nexthink_Collector.log

Filesize
1KB

MD5
373a5a0ba06a9f038ef3a036aa3f6c48

SHA1
61b6f95fa72148f72611bed92cd5feb123a55a6d

SHA256
d7588c5e7547fd379580ff53f706fb637c22b5ae88c9510057050d4505afd282

SHA512
66104113b8341859d609157b28531f8f07304470d124d0d6498f72ad31a910da915a4ef7d24036878f1a1427010866741e279216832dcc676a4e2f7845396b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxtdrvinst.log

Filesize
16KB

MD5
30201ff6a395738b6f136da6eca6ce11

SHA1
c054cb93a5da8bde73d0ec8290326f9b0b0225b6

SHA256
86ddc4efb2181fc106454454c8cef73a3b918cba7e5adbaa77b4792211ee8f78

SHA512
0d5692bbfe29590d23c6862917047c58e0601e75924df7e59de7790de37e9dae187209a1c8efcd46431adf47e71d78c09543d4f62888478180dabb98837f18a3

Download Submit
C:\Windows\INF\setupapi.app.log

Filesize
1KB

MD5
08897dc6f0209343c72cd78d03ccb296

SHA1
94edcbdc1c8445d2ccf33fa87641e65c49d5f53f

SHA256
e359918e6de89813f2006a9c0fdd3817b873ef493e3e840d5e43815a4c512e3f

SHA512
3b226dbf3b7116767bbd1fb69b27a3428acab3b3119a10cd0d9d64e1187e0e9079320228f90716ef733e336c0e32cadb737bb6c58c9e47d124e83a71019472e4

Download Submit
C:\Windows\INF\setupapi.app.log

Filesize
2KB

MD5
c84f7aa662baef30d9c838021282c1ba

SHA1
72e168d5e5cb821d11ef71b1a1f10a6b868df286

SHA256
a01f433df86db909f3467600e8fd8442f5379b5e834e89f45131b92fa4fa376a

SHA512
c10aba6a351125162b7793f98d36a8f5f93bfc5261c46f5642ca2954d85d60e8bcdacebb7df0b50dce27bebd8ef6b4bd256330d705db29f92e1831993a6e1b8d

Download Submit
C:\Windows\INF\setupapi.app.log

Filesize
3KB

MD5
968924aa6c779be4218153b2ef3d0caf

SHA1
4c381af648ec7a65bf2aee630ac42030eded6c7d

SHA256
4f576d1194df16f2a6aac894d01cb08dd591b26742c754e0dbd3560e5c3871ee

SHA512
1983450716c602c8f077a118965ccec5fb918aaac3a79531c4851c031450dd927feb7c986a7161c6c09965739bfad588669b3d497bba30dd6863cba41e9a041c

Download Submit
C:\Windows\INF\setupapi.app.log

Filesize
10KB

MD5
93259c5c48c99b7ead05e141047ea4af

SHA1
0739467c6eecf86f727a99d8da341e647a7fdc01

SHA256
6fec679ac3c4630c405ee40ed55b779054ef4912ea6ffaede55c5b727878ba21

SHA512
63eff58e74311db51f1cbd0af35931b1be39ce9e8c3c6775abeeced2f8fa746fc4ee7050346b3075e61fbd720390dbb0a13d21682440836c8b44ed7ca243b6a8

Download Submit
C:\Windows\INF\setupapi.app.log

Filesize
10KB

MD5
88b9e19974ae1292a76405ccfd2e85ac

SHA1
72a4ee212faef1cd0a5c66d1e966aae4b20eb5cb

SHA256
e46a510055296b7209df525b3a3797fbb97a4450cf2ea0bd1e9a9d14132a3d33

SHA512
d907b6cd67bbcf89be65e50435c299c23f15cd43648d60f95c917bf86fbcf8f6e4c7c55c33428c332b087c3a11629cb3ccd0abbadee326147e7e88967b443e5a

Download Submit
C:\Windows\Installer\MSIDDAE.tmp

Filesize
1.4MB

MD5
b7570f4fefac68e10fc196594c71ac0f

SHA1
0d8ca47232dbed8a59d632b83484bd23fc00a320

SHA256
782c8d6aeaa03daddbe960402f81abe2df5ee9c5027140b925964515c1576cc0

SHA512
ef612fcef985ff84706bd37156f3c9eaf1ccdf0837409db4d53081e008370defd7dfd9d73d4c65b8479e929762aae1d07a6e3dcebea2d8a82ce7423e6be5a6f2

Download Submit
C:\Windows\Installer\MSIDDFD.tmp

Filesize
216KB

MD5
98ace1c283f1723e3c1fc935f57d3a33

SHA1
e8051f238f00f806dbf643bcbd15c6dfb1a04563

SHA256
d1a0d6c7c19384251145f7064d2e3955e7a1c69b9c9f2afd0d7effa6672ff20c

SHA512
b5c590c101de11f823793d5694c7015bcb58a311e58da6e0d9773f4a32f2451bc750f66717b360595483cb5fc2344677afe7df3e383be6047a3e74c0b9812178

Download Submit
C:\Windows\Installer\MSIE4B9.tmp

Filesize
301KB

MD5
0ab24b2115f1aa793ae185e07c2e46e0

SHA1
b90c7de711a34ce393d47d6228419bb0e2414b77

SHA256
8d21a09e5ee1d1e482112bfc612de36bb778e0d47e7d4d3d1d75a00a4e1907e6

SHA512
a7f7b07b1163bbdfbe91f8f7bf34ef1cde0146bf42c4338cadbb90349c5a611a654154d26d7346459b454fe3404567c988436a97ee46e870bcdf9f519698d80a

Download Submit