Edit tour

Windows Analysis Report
NursultanClient.exe1.exe

Overview

General Information

Sample name:	NursultanClient.exe1.exe
Analysis ID:	1638422
MD5:	8b77a97c1565f0bcd30d78cee136f3a5
SHA1:	34966691826f79c7d6fc534677e26f85a21f9cbb
SHA256:	ded6b8977bb022452a8cb526243e12a57cef4baf52c8afa2ef56ea8c258bc300
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

Score:	92
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

NursultanClient.exe1.exe (PID: 2248 cmdline: "C:\Users\user\Desktop\NursultanClient.exe1.exe" MD5: 8B77A97C1565F0BCD30D78CEE136F3A5)

cmd.exe (PID: 1332 cmdline: "cmd.exe" /c wmic diskdrive get model MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 60 cmdline: wmic diskdrive get model MD5: E2DE6500DE1148C7F6027AD50AC8B891)

NursultanClient.exe1.exe (PID: 2000 cmdline: C:\Users\user\Desktop\NursultanClient.exe1.exe MD5: 8B77A97C1565F0BCD30D78CEE136F3A5)

cmd.exe (PID: 504 cmdline: "cmd.exe" /c wmic diskdrive get model MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7180 cmdline: wmic diskdrive get model MD5: E2DE6500DE1148C7F6027AD50AC8B891)

NursultanClient.exe1.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\NursultanClient.exe1.exe" MD5: 8B77A97C1565F0BCD30D78CEE136F3A5)

cmd.exe (PID: 7816 cmdline: "cmd.exe" /c wmic diskdrive get model MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7860 cmdline: wmic diskdrive get model MD5: E2DE6500DE1148C7F6027AD50AC8B891)

NursultanClient.exe1.exe (PID: 8052 cmdline: "C:\Users\user\Desktop\NursultanClient.exe1.exe" MD5: 8B77A97C1565F0BCD30D78CEE136F3A5)

cmd.exe (PID: 8108 cmdline: "cmd.exe" /c wmic diskdrive get model MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8156 cmdline: wmic diskdrive get model MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
NursultanClient.exe1.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\SysWOW64\NursultanClient.exe1.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.3056571017.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000014.00000002.3056322219.0000000003351000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.3055787808.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000006.00000002.3055698461.0000000002801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.1195526613.00000000005E2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: NursultanClient.exe1.exe PID: 2248	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: NursultanClient.exe1.exe PID: 2000	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: NursultanClient.exe1.exe PID: 7752	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: NursultanClient.exe1.exe PID: 8052	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.NursultanClient.exe1.exe.5e0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\NursultanClient.exe1.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\NursultanClient.exe1.exe, ProcessId: 2248, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NursultanClient.exe1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Windows\SysWOW64\NursultanClient.exe1.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: NursultanClient.exe1.exe	Virustotal: Detection: 34%			Perma Link
Source: NursultanClient.exe1.exe	ReversingLabs: Detection: 26%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: NursultanClient.exe1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.6:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.6:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.6:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.6:49705 version: TLS 1.2

Source: NursultanClient.exe1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahal\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdbSHA256TU2 source: NursultanClient.exe1.exe, 00000000.00000002.3073231524.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.3073231524.0000000003BAF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3088801361.00000000074A0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3069778022.0000000003981000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3069778022.0000000003869000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3075683315.00000000044AD000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3075683315.0000000004543000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3076941011.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3076941011.00000000044D1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressedUde.microsoft.win32.taskscheduler.resources source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr
Source:	Binary string: st.pdb source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr
Source:	Binary string: C:\Users\dahal\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdb source: NursultanClient.exe1.exe, 00000000.00000002.3073231524.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.3073231524.0000000003BAF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3088801361.00000000074A0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3069778022.0000000003981000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3069778022.0000000003869000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3075683315.00000000044AD000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3075683315.0000000004543000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3076941011.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3076941011.00000000044D1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|806F4C19B2D7FD9E3B836269EC07647019A29E95\|7960 source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32

Source: global traffic

TCP traffic: 192.168.2.6:49692 -> 147.185.221.26:54480

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.237.62.213 104.237.62.213
Source: Joe Sandbox View	IP Address: 147.185.221.26 147.185.221.26

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: api64.ipify.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: george-webcam.gl.at.ply.gg
Source: global traffic	DNS traffic detected: DNS query: api64.ipify.org

Source: NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3055698461.0000000002801000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3056571017.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3056322219.0000000003377000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: NursultanClient.exe1.exe, 00000014.00000002.3095779753.0000000009060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: NursultanClient.exe1.exe, 00000006.00000002.3055698461.0000000002801000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3056322219.0000000003377000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org
Source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr	String found in binary or memory: https://api64.ipify.org/
Source: NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: NursultanClient.exe1.exe, 00000000.00000002.3073231524.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.3073231524.0000000003BAF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3088801361.00000000074A0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3069778022.0000000003981000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3069778022.0000000003869000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3075683315.00000000044AD000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3075683315.0000000004543000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3076941011.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3076941011.00000000044D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dahall/taskscheduler
Source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.6:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.6:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.6:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.6:49705 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: NursultanClient.exe1.exe, Form1.cs	.Net Code: CaptureScreenshotOptimized
Source: NursultanClient.exe1.exe.0.dr, Form1.cs	.Net Code: CaptureScreenshotOptimized

Contains functionality to log keystrokes (.Net Source)

Source: NursultanClient.exe1.exe, KeyLogger.cs	.Net Code: SetupKeyboardHook
Source: NursultanClient.exe1.exe.0.dr, KeyLogger.cs	.Net Code: SetupKeyboardHook

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Code function: 0_2_07EC2DAC SetWindowsHookExW 0000000D,00000000,?,?

0_2_07EC2DAC

Installs a global keyboard hook

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NursultanClient.exe1.exe	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NursultanClient.exe1.exe	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NursultanClient.exe1.exe
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NursultanClient.exe1.exe

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_08F85BE2 GetKeyState,GetKeyState,GetKeyState,	0_2_08F85BE2
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_087EED90 GetKeyState,GetKeyState,GetKeyState,	6_2_087EED90
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_087EED80 GetKeyState,GetKeyState,GetKeyState,	6_2_087EED80

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	File created: C:\Windows\SysWOW64\NursultanClient.exe1.exe			Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	File created: C:\Windows\SysWOW64\NursultanClient.exe1.exe:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_06F885A0	0_2_06F885A0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_06F87CD0	0_2_06F87CD0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_06F87988	0_2_06F87988
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_07ECD7F8	0_2_07ECD7F8
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_07EC8720	0_2_07EC8720
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_08F830C8	0_2_08F830C8
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_09E5D308	0_2_09E5D308
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_09E50FA8	0_2_09E50FA8
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_06E685A0	6_2_06E685A0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_06E67CD0	6_2_06E67CD0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_06E67988	6_2_06E67988
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_079E6410	6_2_079E6410
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_079E2088	6_2_079E2088
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_079E9CA8	6_2_079E9CA8
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_079E9C70	6_2_079E9C70
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_087EE6F0	6_2_087EE6F0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_087E6460	6_2_087E6460
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_05EA85A0	15_2_05EA85A0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_05EA7CD0	15_2_05EA7CD0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_05EA7988	15_2_05EA7988
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_08851418	15_2_08851418
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_08856750	15_2_08856750
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_08859FB8	15_2_08859FB8
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_08859FC8	15_2_08859FC8
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_0932ACF0	15_2_0932ACF0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_093207E8	15_2_093207E8
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_09326460	15_2_09326460
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 20_2_079785A0	20_2_079785A0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 20_2_07977CD0	20_2_07977CD0
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 20_2_07977988	20_2_07977988
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 20_2_08796938	20_2_08796938
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 20_2_0879F500	20_2_0879F500
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 20_2_08791758	20_2_08791758
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 20_2_0879A1F8	20_2_0879A1F8
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 20_2_0879A208	20_2_0879A208
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 20_2_09286908	20_2_09286908

Source: NursultanClient.exe1.exe, 00000000.00000002.3073231524.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000002A57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000000.00000000.1195673272.0000000000774000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesvch> vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000000.00000002.3073231524.0000000003BAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000000.00000002.3053635476.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000006.00000002.3055698461.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000006.00000002.3088801361.00000000074A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000006.00000002.3069778022.0000000003981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000006.00000002.3069778022.0000000003869000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 0000000F.00000002.3075683315.00000000044AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 0000000F.00000002.3056571017.00000000033E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 0000000F.00000002.3075683315.0000000004543000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000014.00000002.3076941011.00000000043EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000014.00000002.3076941011.00000000044D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe, 00000014.00000002.3056322219.0000000003377000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe	Binary or memory string: OriginalFilenamesvch> vs NursultanClient.exe1.exe
Source: NursultanClient.exe1.exe.0.dr	Binary or memory string: OriginalFilenamesvch> vs NursultanClient.exe1.exe

Source: NursultanClient.exe1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: NursultanClient.exe1.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NursultanClient.exe1.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, TaskSchedulerSnapshot.cs	Task registration methods: 'InternalCreate', 'Create'
Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.NursultanClient.exe1.exe.3b0fc78.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'

Source: 6.2.NursultanClient.exe1.exe.39812a8.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 6.2.NursultanClient.exe1.exe.39812a8.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.NursultanClient.exe1.exe.3b0fc78.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NursultanClient.exe1.exe.3b0fc78.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.NursultanClient.exe1.exe.3b0fc78.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.NursultanClient.exe1.exe.3b0fc78.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 6.2.NursultanClient.exe1.exe.39812a8.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 6.2.NursultanClient.exe1.exe.39812a8.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NursultanClient.exe1.exe.3b0fc78.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.NursultanClient.exe1.exe.3b0fc78.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 6.2.NursultanClient.exe1.exe.39812a8.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 6.2.NursultanClient.exe1.exe.39812a8.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal92.spyw.evad.winEXE@24/29@2/2

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_03

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

File created: C:\Users\user\AppData\Local\Temp\HDNvtekAudioCache

Jump to behavior

Source: NursultanClient.exe1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NursultanClient.exe1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NursultanClient.exe1.exe	Virustotal: Detection: 34%
Source: NursultanClient.exe1.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

File read: C:\Users\user\Desktop\NursultanClient.exe1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NursultanClient.exe1.exe "C:\Users\user\Desktop\NursultanClient.exe1.exe"
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: unknown	Process created: C:\Users\user\Desktop\NursultanClient.exe1.exe C:\Users\user\Desktop\NursultanClient.exe1.exe
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: unknown	Process created: C:\Users\user\Desktop\NursultanClient.exe1.exe "C:\Users\user\Desktop\NursultanClient.exe1.exe"
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: unknown	Process created: C:\Users\user\Desktop\NursultanClient.exe1.exe "C:\Users\user\Desktop\NursultanClient.exe1.exe"
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: taskschd.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasman.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rtutils.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: taskschd.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rasman.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: rtutils.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: NursultanClient.exe1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NursultanClient.exe1.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: NursultanClient.exe1.exe

Static file information: File size 1642496 > 1048576

Source: NursultanClient.exe1.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x190400

Source: NursultanClient.exe1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: NursultanClient.exe1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\dahal\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdbSHA256TU2 source: NursultanClient.exe1.exe, 00000000.00000002.3073231524.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.3073231524.0000000003BAF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3088801361.00000000074A0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3069778022.0000000003981000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3069778022.0000000003869000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3075683315.00000000044AD000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3075683315.0000000004543000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3076941011.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3076941011.00000000044D1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: NursultanClient.exe1.exe, 00000006.00000002.3051703299.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3083649444.0000000006BF0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3054175188.00000000016BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressedUde.microsoft.win32.taskscheduler.resources source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr
Source:	Binary string: st.pdb source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr
Source:	Binary string: C:\Users\dahal\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdb source: NursultanClient.exe1.exe, 00000000.00000002.3073231524.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.3073231524.0000000003BAF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3088801361.00000000074A0000.00000004.08000000.00040000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3069778022.0000000003981000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3069778022.0000000003869000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3075683315.00000000044AD000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3075683315.0000000004543000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3076941011.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3076941011.00000000044D1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|806F4C19B2D7FD9E3B836269EC07647019A29E95\|7960 source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: NursultanClient.exe1.exe, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: NursultanClient.exe1.exe.0.dr, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.NursultanClient.exe1.exe.3bafc98.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.NursultanClient.exe1.exe.3b0fc78.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.NursultanClient.exe1.exe.3b0fc78.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.NursultanClient.exe1.exe.3b0fc78.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 6.2.NursultanClient.exe1.exe.39812a8.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 6.2.NursultanClient.exe1.exe.39812a8.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 6.2.NursultanClient.exe1.exe.39812a8.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 6.2.NursultanClient.exe1.exe.6bf0000.4.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 6.2.NursultanClient.exe1.exe.6bf0000.4.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Yara detected Costura Assembly Loader

Source: Yara match	File source: NursultanClient.exe1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.NursultanClient.exe1.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3056571017.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3056322219.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3055787808.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3055698461.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1195526613.00000000005E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NursultanClient.exe1.exe PID: 2248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NursultanClient.exe1.exe PID: 2000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NursultanClient.exe1.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NursultanClient.exe1.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\NursultanClient.exe1.exe, type: DROPPED

Source: NursultanClient.exe1.exe

Static PE information: 0x8429E54A [Fri Apr 6 15:16:26 2040 UTC]

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_07EC33F5 push edi; ret	0_2_07EC33F6
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_09E57A62 push E801005Eh; ret	0_2_09E57A69
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_09E5CC58 push ds; ret	0_2_09E5CC6F
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_09E59F20 push E801005Eh; retf	0_2_09E59F61
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 0_2_09E5E15D push E8000000h; ret	0_2_09E5E169
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_06E6D059 push ss; retf	6_2_06E6D066
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_079E30C8 push ss; retf	6_2_079E30D6
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_087EA950 pushfd ; ret	6_2_087EA95D
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_087E3B40 push eax; ret	6_2_087E3B4D
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 6_2_087E6D30 push FFFFFFC3h; ret	6_2_087E6D4A
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_0885C528 push 8BD08B6Ah; iretd	15_2_0885C52F
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_0932A950 pushfd ; ret	15_2_0932A95D
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 15_2_09323B40 push eax; ret	15_2_09323B4D
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 20_2_07974D8D push FFFFFFE9h; iretd	20_2_07974DE9
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 20_2_0928D74C pushad ; retf	20_2_0928D751
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Code function: 20_2_0928D753 push edx; iretd	20_2_0928D779

Source: NursultanClient.exe1.exe	Static PE information: section name: .text entropy: 7.951730369753831
Source: NursultanClient.exe1.exe.0.dr	Static PE information: section name: .text entropy: 7.951730369753831

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

File created: C:\Windows\SysWOW64\NursultanClient.exe1.exe

Jump to dropped file

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

File created: C:\Windows\SysWOW64\NursultanClient.exe1.exe

Jump to dropped file

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NursultanClient.exe1			Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NursultanClient.exe1			Jump to behavior

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Camera' OR PNPClass = 'Image')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Media' OR Name LIKE '%microphone%')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Camera' OR PNPClass = 'Image')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Media' OR Name LIKE '%microphone%')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Camera' OR PNPClass = 'Image')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Media' OR Name LIKE '%microphone%')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Camera' OR PNPClass = 'Image')
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Media' OR Name LIKE '%microphone%')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 4A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 4800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 17D0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 33C0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 53C0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 15E0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 3350000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Memory allocated: 1960000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 4087	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 5559	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 833	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 1888	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 6961	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 2637
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 6979
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 1870
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Window / User API: threadDelayed 7732

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 6156	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 1440	Thread sleep count: 833 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7412	Thread sleep count: 1888 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7412	Thread sleep count: 6961 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7428	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7428	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7788	Thread sleep count: 155 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7984	Thread sleep count: 2637 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7992	Thread sleep count: 33 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7992	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 7980	Thread sleep count: 6979 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 8080	Thread sleep count: 180 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 6564	Thread sleep count: 1870 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 6684	Thread sleep count: 31 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 6684	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 6640	Thread sleep count: 7732 > 30
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe TID: 6684	Thread sleep time: -99094s >= -30000s

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Thread delayed: delay time: 99094

Source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr	Binary or memory string: CheckForQEMU
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3055698461.0000000002801000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3056571017.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3056322219.0000000003377000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: NursultanClient.exe1.exe, 00000006.00000002.3082329886.0000000006A5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: NursultanClient.exe1.exe.0.dr	Binary or memory string: vmware
Source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr	Binary or memory string: qemuwmi
Source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr	Binary or memory string: QEMU HARDDISK
Source: NursultanClient.exe1.exe, 00000000.00000002.3088248902.000000000786E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: NursultanClient.exe1.exe, NursultanClient.exe1.exe.0.dr	Binary or memory string: qemu-ga5Error checking processes: KAny.Run sandbox environment detected!#Sandbox Detection9No Any.Run sandbox detected.
Source: NursultanClient.exe1.exe, 0000000F.00000002.3086763104.000000000767C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: NursultanClient.exe1.exe, 00000014.00000002.3087679114.0000000007592000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c wmic diskdrive get model
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive get model

Source: NursultanClient.exe1.exe, 0000000F.00000002.3056571017.0000000003AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qL[07:06:48] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000014.00000002.3056322219.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000014.00000002.3056322219.0000000003377000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [07:06:53] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:33] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:43] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:20] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:30] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:03] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:51] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 0000000F.00000002.3056571017.00000000033E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [07:06:52] Window changed: 'Program Manager' (Process: explorer, PID: 496)DNvtekAudioCache\z.txt' because it is being used by another process.
Source: z.txt.0.dr	Binary or memory string: [07:06:13] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:00] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qL[07:06:37] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:03:59] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:42] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:12] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:22] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000003041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qJ[07:06:55] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:02] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:42] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:52] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 0000000F.00000002.3056571017.0000000003AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qJ[07:06:48] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:01] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:11] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:21] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 0000000F.00000002.3056571017.00000000038B4000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [07:06:52] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:32] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000003041000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qL[07:06:55] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000002D5D000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000003186000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerlB
Source: z.txt.0.dr	Binary or memory string: [07:06:44] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000014.00000002.3056322219.00000000036F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qJ[07:06:53] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:40] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:50] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:34] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:24] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:14] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000003046000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.3055787808.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000002D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: z.txt.0.dr	Binary or memory string: [07:04:49] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:54] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:51] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:07] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:31] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:14] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:47] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 0000000F.00000002.3056571017.00000000038BA000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3056571017.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3056571017.0000000003421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerX
Source: z.txt.0.dr	Binary or memory string: [07:04:48] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:46] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:28] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000006.00000002.3055698461.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qJ[07:06:51] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000006.00000002.3055698461.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [07:06:51] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:43] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:03] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:26] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:09] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:23] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:37] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:17] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:06] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000003041000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [07:06:55] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:57] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:46] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000006.00000002.3055698461.0000000002E83000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 00000006.00000002.3055698461.00000000028D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager8
Source: z.txt.0.dr	Binary or memory string: [07:05:49] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000006.00000002.3055698461.00000000028D0000.00000004.00000800.00020000.00000000.sdmp, NursultanClient.exe1.exe, 0000000F.00000002.3056571017.0000000003421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4
Source: NursultanClient.exe1.exe, 00000006.00000002.3055698461.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qL[07:06:51] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:11] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:22] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:03:53] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qJ[07:06:37] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:42] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:38] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000002D58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qL[07:06:50] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:28] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:35] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:09] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:58] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:45] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:27] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:07] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:05] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:14] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:54] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:37] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:57] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:47] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 0000000F.00000002.3056571017.00000000038B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qL[07:06:52] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:39] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000002D58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qJ[07:06:50] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:29] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:19] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:03] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:13] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:23] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:43] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:53] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:18] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000002A57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [07:06:55] Window changed: 'Program Manager' (Process: explorer, PID: 496)DNvtekAudioCache\z.txt' because it is being used by another process.
Source: z.txt.0.dr	Binary or memory string: [07:05:55] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:26] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:05] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:15] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:36] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:56] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:45] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:46] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:25] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:35] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:17] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:39] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 0000000F.00000002.3056571017.00000000038B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qJ[07:06:52] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:30] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.0000000002D58000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [07:06:50] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:24] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000000.00000002.3055787808.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [07:06:37] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 00000014.00000002.3056322219.00000000036F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qL[07:06:53] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:53] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:40] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:33] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:41] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:16] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:58] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:03:58] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:16] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:05] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:36] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:25] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:28] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:19] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:08] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:39] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:52] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:41] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:21] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:06:10] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:04:32] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:01] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: NursultanClient.exe1.exe, 0000000F.00000002.3056571017.0000000003AE0000.00000004.00000800.00020000.00000000.sdmp, z.txt.0.dr	Binary or memory string: [07:06:48] Window changed: 'Program Manager' (Process: explorer, PID: 496)
Source: z.txt.0.dr	Binary or memory string: [07:05:59] Window changed: 'Program Manager' (Process: explorer, PID: 496)

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Users\user\Desktop\NursultanClient.exe1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Users\user\Desktop\NursultanClient.exe1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Users\user\Desktop\NursultanClient.exe1.exe VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Users\user\Desktop\NursultanClient.exe1.exe VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\NursultanClient.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Source: C:\Users\user\Desktop\NursultanClient.exe1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	11 Scheduled Task/Job	12 Process Injection	2 Masquerading	311 Input Capture	321 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	311 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	223 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NursultanClient.exe1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
NursultanClient.exe1.exe