Edit tour

Windows Analysis Report
NursultanClient.exe1.exe

Overview

General Information

Sample name:	NursultanClient.exe1.exe
Analysis ID:	1638422
MD5:	8b77a97c1565f0bcd30d78cee136f3a5
SHA1:	34966691826f79c7d6fc534677e26f85a21f9cbb
SHA256:	ded6b8977bb022452a8cb526243e12a57cef4baf52c8afa2ef56ea8c258bc300
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

Score:	92
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

NursultanClient.exe1.exe (PID: 5148 cmdline: "C:\Users\user\Desktop\NursultanClient.exe1.exe" MD5: 8B77A97C1565F0BCD30D78CEE136F3A5)

cmd.exe (PID: 3120 cmdline: "cmd.exe" /c wmic diskdrive get model MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5156 cmdline: wmic diskdrive get model MD5: E2DE6500DE1148C7F6027AD50AC8B891)

NursultanClient.exe1.exe (PID: 7080 cmdline: C:\Users\user\Desktop\NursultanClient.exe1.exe MD5: 8B77A97C1565F0BCD30D78CEE136F3A5)

cmd.exe (PID: 2688 cmdline: "cmd.exe" /c wmic diskdrive get model MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7200 cmdline: wmic diskdrive get model MD5: E2DE6500DE1148C7F6027AD50AC8B891)

MpCmdRun.exe (PID: 2688 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NursultanClient.exe1.exe (PID: 7848 cmdline: "C:\Users\user\Desktop\NursultanClient.exe1.exe" MD5: 8B77A97C1565F0BCD30D78CEE136F3A5)

cmd.exe (PID: 7904 cmdline: "cmd.exe" /c wmic diskdrive get model MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7944 cmdline: wmic diskdrive get model MD5: E2DE6500DE1148C7F6027AD50AC8B891)

NursultanClient.exe1.exe (PID: 8060 cmdline: "C:\Users\user\Desktop\NursultanClient.exe1.exe" MD5: 8B77A97C1565F0BCD30D78CEE136F3A5)

cmd.exe (PID: 8120 cmdline: "cmd.exe" /c wmic diskdrive get model MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8168 cmdline: wmic diskdrive get model MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
NursultanClient.exe1.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\SysWOW64\NursultanClient.exe1.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000013.00000002.2436169120.0000000003301000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000F.00000002.2435369964.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2434858855.0000000002761000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.1178855649.0000000000302000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2477623541.0000000007900000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.2434452900.0000000002671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: NursultanClient.exe1.exe PID: 5148	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: NursultanClient.exe1.exe PID: 7080	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: NursultanClient.exe1.exe PID: 7848	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: NursultanClient.exe1.exe PID: 8060	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.NursultanClient.exe1.exe.300000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\NursultanClient.exe1.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\NursultanClient.exe1.exe, ProcessId: 5148, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NursultanClient.exe1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Windows\SysWOW64\NursultanClient.exe1.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: NursultanClient.exe1.exe	Virustotal: Detection: 34%			Perma Link
Source: NursultanClient.exe1.exe	ReversingLabs: Detection: 26%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: NursultanClient.exe1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: NursultanClient.exe1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahal\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdbSHA256TU2 source: NursultanClient.exe1.exe, 00000000.00000002.2452794909.0000000003876000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.2452794909.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2454084617.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2457213266.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2457213266.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2474797378.000000000780E000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2454492140.0000000004397000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2454492140.000000000447F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: NursultanClient.exe1.exe, 00000000.00000002.2428397514.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: NursultanClient.exe1.exe, 00000000.00000002.2428397514.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressedUde.microsoft.win32.taskscheduler.resources source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr
Source:	Binary string: st.pdb source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr
Source:	Binary string: a.pdb.compressedUde.microsoft.win32.taskscheduler.resources source: NursultanClient.exe1.exe, 00000000.00000002.2477623541.0000000007900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahal\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdb source: NursultanClient.exe1.exe, 00000000.00000002.2452794909.0000000003876000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.2452794909.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2454084617.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2457213266.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2457213266.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2474797378.000000000780E000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2454492140.0000000004397000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2454492140.000000000447F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|806F4C19B2D7FD9E3B836269EC07647019A29E95\|7960 source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32

Source: global traffic

TCP traffic: 192.168.2.4:49718 -> 147.185.221.26:54480

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.237.62.213 104.237.62.213
Source: Joe Sandbox View	IP Address: 147.185.221.26 147.185.221.26

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: api64.ipify.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: george-webcam.gl.at.ply.gg
Source: global traffic	DNS traffic detected: DNS query: api64.ipify.org

Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: NursultanClient.exe1.exe, 00000000.00000002.2434858855.0000000002787000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002671000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2435369964.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2436169120.0000000003327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: NursultanClient.exe1.exe, 00000000.00000002.2465236157.0000000006892000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002671000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2435369964.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2436169120.0000000003327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org
Source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr	String found in binary or memory: https://api64.ipify.org/
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: NursultanClient.exe1.exe, 00000000.00000002.2452794909.0000000003876000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.2452794909.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2454084617.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2474757837.000000000740C000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2457213266.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2457213266.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2454492140.0000000004397000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2454492140.000000000447F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dahall/taskscheduler
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.4:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: NursultanClient.exe1.exe, Form1.cs	.Net Code: CaptureScreenshotOptimized
Source: NursultanClient.exe1.exe.0.dr, Form1.cs	.Net Code: CaptureScreenshotOptimized

Contains functionality to log keystrokes (.Net Source)

Source: NursultanClient.exe1.exe, KeyLogger.cs	.Net Code: SetupKeyboardHook
Source: NursultanClient.exe1.exe.0.dr, KeyLogger.cs	.Net Code: SetupKeyboardHook

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Code function: 0_2_07BE2E1C SetWindowsHookExW 0000000D,00000000,?,?

0_2_07BE2E1C

Installs a global keyboard hook

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NursultanClient.exe1.exe	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NursultanClient.exe1.exe	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NursultanClient.exe1.exe
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NursultanClient.exe1.exe

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Code function: 0_2_08C85D3A GetKeyState,GetKeyState,GetKeyState,

0_2_08C85D3A

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	File created: C:\Windows\SysWOW64\NursultanClient.exe1.exe			Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	File created: C:\Windows\SysWOW64\NursultanClient.exe1.exe:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_06F685A0	0_2_06F685A0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_06F67CD0	0_2_06F67CD0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_06F67988	0_2_06F67988
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_07BED6D0	0_2_07BED6D0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_07BE7DE0	0_2_07BE7DE0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_09B5D300	0_2_09B5D300
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_09B50FA8	0_2_09B50FA8
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_09B50F98	0_2_09B50F98
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_09B50006	0_2_09B50006
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC0040	5_2_04CC0040
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC63FF	5_2_04CC63FF
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC09FF	5_2_04CC09FF
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC0A00	5_2_04CC0A00
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_052D85A0	5_2_052D85A0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_052D7CD0	5_2_052D7CD0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_052D7988	5_2_052D7988
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_07C21F60	5_2_07C21F60
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_07C26950	5_2_07C26950
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_07C2A158	5_2_07C2A158
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_07C2A168	5_2_07C2A168
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_08866900	5_2_08866900
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_05160040	15_2_05160040
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_051609F0	15_2_051609F0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_05160A00	15_2_05160A00
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_073F85A0	15_2_073F85A0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_073F7CD0	15_2_073F7CD0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_073F7988	15_2_073F7988
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_08016388	15_2_08016388
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_08011418	15_2_08011418
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_08019BB8	15_2_08019BB8
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_08019BC8	15_2_08019BC8
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_08018C49	15_2_08018C49
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_08B06A40	15_2_08B06A40
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 19_2_086AF2D0	19_2_086AF2D0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 19_2_086A1418	19_2_086A1418
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 19_2_086A6768	19_2_086A6768
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 19_2_086A9FC8	19_2_086A9FC8
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 19_2_086A9FB8	19_2_086A9FB8
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 19_2_086A9F92	19_2_086A9F92
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 19_2_0933ACF0	19_2_0933ACF0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 19_2_09336460	19_2_09336460

Source: NursultanClient.exe1.exe, 00000000.00000002.2452794909.0000000003876000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000000.00000002.2434858855.0000000002787000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000000.00000002.2474975386.0000000006E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000000.00000002.2452794909.00000000038DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000000.00000000.1179011889.0000000000494000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesvch> vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000000.00000002.2425676143.000000000092E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000005.00000002.2454084617.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 0000000F.00000002.2435369964.0000000002C07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 0000000F.00000002.2427470445.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 0000000F.00000002.2457213266.0000000003D62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 0000000F.00000002.2457213266.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 0000000F.00000002.2474797378.000000000780E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000013.00000002.2454492140.0000000004397000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000013.00000002.2454492140.000000000447F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000013.00000002.2436169120.0000000003327000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe	Binary or memory string: OriginalFilenamesvch> vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe.0.dr	Binary or memory string: OriginalFilenamesvch> vs NursultanClient.exe1.exe

Source: NursultanClient.exe1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: NursultanClient.exe1.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NursultanClient.exe1.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, TaskSchedulerSnapshot.cs	Task registration methods: 'InternalCreate', 'Create'
Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 5.2.NursultanClient.exe1.exe.37f0588.0.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'

Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 5.2.NursultanClient.exe1.exe.37f0588.0.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 5.2.NursultanClient.exe1.exe.37f0588.0.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 15.2.NursultanClient.exe1.exe.3cc29a8.0.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 15.2.NursultanClient.exe1.exe.3cc29a8.0.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 5.2.NursultanClient.exe1.exe.37f0588.0.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 5.2.NursultanClient.exe1.exe.37f0588.0.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 5.2.NursultanClient.exe1.exe.37f0588.0.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 15.2.NursultanClient.exe1.exe.3cc29a8.0.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 15.2.NursultanClient.exe1.exe.3cc29a8.0.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 15.2.NursultanClient.exe1.exe.3cc29a8.0.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 5.2.NursultanClient.exe1.exe.37f0588.0.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 15.2.NursultanClient.exe1.exe.3cc29a8.0.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal92.spyw.evad.winEXE@26/22@2/2

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

File created: C:\Users\user\AppData\Local\Temp\HDNvtekAudioCache

Jump to behavior

Source: NursultanClient.exe1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NursultanClient.exe1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NursultanClient.exe1.exe	Virustotal: Detection: 34%
Source: NursultanClient.exe1.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

File read: C:\Users\user\Desktop\NursultanClient.exe1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NursultanClient.exe1.exe "C:\Users\user\Desktop\NursultanClient.exe1.exe"
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: unknown	Process created: C:\Users\user\Desktop\NursultanClient.exe1.exe C:\Users\user\Desktop\NursultanClient.exe1.exe
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: unknown	Process created: C:\Users\user\Desktop\NursultanClient.exe1.exe "C:\Users\user\Desktop\NursultanClient.exe1.exe"
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: unknown	Process created: C:\Users\user\Desktop\NursultanClient.exe1.exe "C:\Users\user\Desktop\NursultanClient.exe1.exe"
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: taskschd.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasman.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rtutils.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: taskschd.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasman.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rtutils.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: NursultanClient.exe1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NursultanClient.exe1.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: NursultanClient.exe1.exe

Static file information: File size 1642496 > 1048576

Source: NursultanClient.exe1.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x190400

Source: NursultanClient.exe1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: NursultanClient.exe1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\dahal\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdbSHA256TU2 source: NursultanClient.exe1.exe, 00000000.00000002.2452794909.0000000003876000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.2452794909.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2454084617.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2457213266.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2457213266.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2474797378.000000000780E000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2454492140.0000000004397000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2454492140.000000000447F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: NursultanClient.exe1.exe, 00000000.00000002.2428397514.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: NursultanClient.exe1.exe, 00000000.00000002.2428397514.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2471391940.0000000006C2A000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2432333535.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressedUde.microsoft.win32.taskscheduler.resources source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr
Source:	Binary string: st.pdb source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr
Source:	Binary string: a.pdb.compressedUde.microsoft.win32.taskscheduler.resources source: NursultanClient.exe1.exe, 00000000.00000002.2477623541.0000000007900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahal\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdb source: NursultanClient.exe1.exe, 00000000.00000002.2452794909.0000000003876000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.2452794909.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2454084617.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2457213266.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2457213266.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2474797378.000000000780E000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2454492140.0000000004397000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2454492140.000000000447F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|806F4C19B2D7FD9E3B836269EC07647019A29E95\|7960 source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: NursultanClient.exe1.exe, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: NursultanClient.exe1.exe.0.dr, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.NursultanClient.exe1.exe.38df610.0.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 5.2.NursultanClient.exe1.exe.37f0588.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 5.2.NursultanClient.exe1.exe.37f0588.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 5.2.NursultanClient.exe1.exe.37f0588.0.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 15.2.NursultanClient.exe1.exe.3cc29a8.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 15.2.NursultanClient.exe1.exe.3cc29a8.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 15.2.NursultanClient.exe1.exe.3cc29a8.0.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: NursultanClient.exe1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.NursultanClient.exe1.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2436169120.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2435369964.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2434858855.0000000002761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1178855649.0000000000302000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2477623541.0000000007900000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2434452900.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NursultanClient.exe1.exe PID: 5148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NursultanClient.exe1.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NursultanClient.exe1.exe PID: 7848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NursultanClient.exe1.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\NursultanClient.exe1.exe, type: DROPPED

Source: NursultanClient.exe1.exe

Static PE information: 0x8429E54A [Fri Apr 6 15:16:26 2040 UTC]

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_07BE33F5 push edi; ret	0_2_07BE33F6
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_07BE3231 pushad ; retf	0_2_07BE3232
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_08C81D06 push FFFFFF8Bh; iretd	0_2_08C81D08
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_00A2CE20 push cs; ret	5_2_00A2CE2E
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_00A2CF08 push cs; ret	5_2_00A2CF16
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_00A2CF60 push cs; ret	5_2_00A2CF6E
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_00A2D08A push es; ret	5_2_00A2D096
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_00A2B566 push edi; ret	5_2_00A2B567
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC8C18 push eax; retf 0004h	5_2_04CC8C1A
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CCEC23 push esp; iretd	5_2_04CCEC26
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC8DAF push eax; retf 0004h	5_2_04CC8DB2
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC8DA8 push eax; retf 0004h	5_2_04CC8DAA
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC8EE8 push ecx; retf 0004h	5_2_04CC8EEA
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC949F push esp; retf 0004h	5_2_04CC94A2
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC9410 push esp; retf 0004h	5_2_04CC9412
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC9431 push esp; retf 0004h	5_2_04CC9432
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC95B0 push ebp; retf 0004h	5_2_04CC95B2
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC9541 push ebp; retf 0004h	5_2_04CC9542
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC9741 push esi; retf 0004h	5_2_04CC9742
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC9758 push esi; retf 0004h	5_2_04CC975A
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC9019 push ecx; retf 0004h	5_2_04CC901A
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC9118 push edx; retf 0004h	5_2_04CC911A
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC92E1 push ebx; retf 0004h	5_2_04CC92E2
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC7279 push cs; ret	5_2_04CC727E
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC93F0 push esp; retf 0004h	5_2_04CC93F2
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC9351 push esp; retf 0004h	5_2_04CC9352
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC9379 push esp; retf 0004h	5_2_04CC937A
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC9330 push ebx; retf 0004h	5_2_04CC9332
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC7C3B push cs; ret	5_2_04CC7C3E
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC788F push cs; ret	5_2_04CC78A7
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 5_2_04CC99F0 push edi; retf 0004h	5_2_04CC99F2

Source: NursultanClient.exe1.exe	Static PE information: section name: .text entropy: 7.951730369753831
Source: NursultanClient.exe1.exe.0.dr	Static PE information: section name: .text entropy: 7.951730369753831

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

File created: C:\Windows\SysWOW64\NursultanClient.exe1.exe

Jump to dropped file

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

File created: C:\Windows\SysWOW64\NursultanClient.exe1.exe

Jump to dropped file

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NursultanClient.exe1			Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NursultanClient.exe1			Jump to behavior

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Camera' OR PNPClass = 'Image')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Media' OR Name LIKE '%microphone%')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Camera' OR PNPClass = 'Image')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Media' OR Name LIKE '%microphone%')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Camera' OR PNPClass = 'Image')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Media' OR Name LIKE '%microphone%')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Camera' OR PNPClass = 'Image')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Media' OR Name LIKE '%microphone%')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 4760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 24A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: F50000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 29A0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 1760000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 3300000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 17F0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 4706	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 4981	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 4980	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 4670	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 6862
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 2429
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 8404
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 1101

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 6764	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 5376	Thread sleep count: 156 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7692	Thread sleep count: 4980 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7696	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7672	Thread sleep count: 4670 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7696	Thread sleep time: -99062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7880	Thread sleep count: 118 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 8020	Thread sleep count: 6862 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 8024	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 8008	Thread sleep count: 2429 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 8088	Thread sleep count: 106 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 3740	Thread sleep count: 8404 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7276	Thread sleep count: 31 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7276	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 5652	Thread sleep count: 1101 > 30

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477

Source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr	Binary or memory string: CheckForQEMU
Source: NursultanClient.exe1.exe, 00000000.00000002.2434858855.0000000002787000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002671000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2435369964.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2436169120.0000000003327000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: NursultanClient.exe1.exe.0.dr	Binary or memory string: vmware
Source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr	Binary or memory string: qemuwmi
Source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr	Binary or memory string: QEMU HARDDISK
Source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr	Binary or memory string: qemu-ga5Error checking processes: KAny.Run sandbox environment detected!#Sandbox Detection9No Any.Run sandbox detected.
Source: NursultanClient.exe1.exe, 00000000.00000002.2474975386.0000000006E2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS'tc
Source: NursultanClient.exe1.exe, 0000000F.00000002.2469046397.0000000006EEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: NursultanClient.exe1.exe, 00000005.00000002.2466954813.0000000006B20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOO
Source: NursultanClient.exe1.exe, 00000013.00000002.2468526244.00000000074D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll44

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model

Source: z.txt.0.dr	Binary or memory string: [06:54:55] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:54:52] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:54:57] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [00:39:29] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002916000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002878000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: z.txt.0.dr	Binary or memory string: [14:49:47] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [03:33:11] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000000.00000002.2434858855.0000000002A09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qM[23:42:17] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [07:11:47] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [15:12:46] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [07:09:28] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002B26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qM[07:11:26] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002D7B000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [07:12:05] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [03:25:02] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000000.00000002.2434858855.0000000002A09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qK[23:42:17] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [22:14:19] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [15:56:22] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:54:32] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [07:11:54] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:56:31] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [10:50:23] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [15:36:45] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:58:35] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002996000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qK[07:07:48] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:58:33] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [18:07:51] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000000.00000002.2434858855.0000000002A09000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [23:42:17] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:55:33] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:00:06] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:54:33] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [16:44:10] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002B26000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [07:11:26] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000000.00000002.2434858855.0000000002928000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.2434858855.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000005.00000002.2434452900.000000000299B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerlB
Source: z.txt.0.dr	Binary or memory string: [06:23:46] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002D7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qM[07:12:05] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [07:07:21] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [07:32:12] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [11:29:00] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [10:20:53] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:56:39] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [07:49:31] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:59:53] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:57:03] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:56:01] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:55:38] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:55:02] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [23:16:41] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [12:10:14] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 0000000F.00000002.2435369964.0000000002C07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [18:32:12] Window changed: 'Program Manager' (Process: explorer, PID: 3964)ekAudioCache\z.txt' because it is being used by another process.
Source: z.txt.0.dr	Binary or memory string: [03:56:33] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000000.00000002.2434858855.0000000002761000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.2434858855.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.2434858855.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: z.txt.0.dr	Binary or memory string: [07:06:10] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qK[07:11:47] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qM[07:11:54] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002996000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qM[07:07:48] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qM[07:08:00] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.00000000029FE000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [07:08:00] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:54:24] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [18:32:12] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [11:52:02] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:56:26] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qK[07:11:54] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qK[07:08:00] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:56:17] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002878000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qK[07:12:12] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002D7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qK[07:12:05] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:56:22] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [14:55:31] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [01:45:53] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [15:18:51] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [14:45:21] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [12:06:21] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000013.00000002.2436169120.0000000003762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qK[08:04:03] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [07:07:32] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 0000000F.00000002.2435369964.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2436169120.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerP
Source: z.txt.0.dr	Binary or memory string: [06:55:27] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:54:42] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002996000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [07:07:48] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000013.00000002.2436169120.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager0xU
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002738000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.2435369964.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000013.00000002.2436169120.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4
Source: z.txt.0.dr	Binary or memory string: [06:54:47] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002B26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qK[07:11:26] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000005.00000002.2434452900.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qM[07:11:47] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [11:09:09] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: NursultanClient.exe1.exe, 00000000.00000002.2434858855.0000000002787000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [23:42:17] Window changed: 'Program Manager' (Process: explorer, PID: 3964)ekAudioCache\z.txt' because it is being used by another process.
Source: z.txt.0.dr	Binary or memory string: [22:48:45] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:54:45] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [06:57:45] Window changed: 'Program Manager' (Process: explorer, PID: 3964)
Source: z.txt.0.dr	Binary or memory string: [07:02:12] Window changed: 'Program Manager' (Process: explorer, PID: 3964)

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Users\user\Desktop\NursultanClient.exe1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Users\user\Desktop\NursultanClient.exe1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Users\user\Desktop\NursultanClient.exe1.exe VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Users\user\Desktop\NursultanClient.exe1.exe VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	11 Scheduled Task/Job	12 Process Injection	2 Masquerading	311 Input Capture	331 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	311 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	223 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NursultanClient.exe1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
NursultanClient.exe1.exe