Loading ...

Play interactive tourEdit tour

Analysis Report PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe

Overview

General Information

Sample Name:PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Analysis ID:402742
MD5:e10c403a6eec866d5772812c5edcc0a7
SHA1:8c1d7ee58c5c767b58a01425b8584a3f9abf9c52
SHA256:9741ab464f2da0ec1effb39154615874073ccd368f77260b865c7fa7acd123b0
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected Nanocore RAT
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe (PID: 6308 cmdline: 'C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe' MD5: E10C403A6EEC866D5772812C5EDCC0A7)
    • cmd.exe (PID: 6700 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 6792 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • explorers.exe (PID: 4496 cmdline: 'C:\Users\user\AppData\Roaming\explorers.exe' MD5: E10C403A6EEC866D5772812C5EDCC0A7)
      • AMRAW.exe (PID: 4632 cmdline: 'C:\Users\user\AppData\Roaming\AMRAW.exe' MD5: 9DD5E6B584F3AF71756DE02F45B4E0C8)
      • InstallUtil.exe (PID: 5652 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
        • schtasks.exe (PID: 6336 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6976 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE914.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • explorers.exe (PID: 5636 cmdline: 'C:\Users\user\AppData\Roaming\explorers.exe' MD5: E10C403A6EEC866D5772812C5EDCC0A7)
  • InstallUtil.exe (PID: 4276 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 0 MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 3584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5348 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6300 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "098e4f4f-7679-4607-961c-79d0e067", "Group": "NEW", "Domain1": "79.134.225.91", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "aammorris@askoblue.comhbqtHu^3smtp.privateemail.com"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\AMRAW.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1101f:$x1: NanoCore.ClientPluginHost
    • 0x1105c:$x2: IClientNetworkHost
    • 0x14b8f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x10d87:$a: NanoCore
        • 0x10d97:$a: NanoCore
        • 0x10fcb:$a: NanoCore
        • 0x10fdf:$a: NanoCore
        • 0x1101f:$a: NanoCore
        • 0x10de6:$b: ClientPlugin
        • 0x10fe8:$b: ClientPlugin
        • 0x11028:$b: ClientPlugin
        • 0x10f0d:$c: ProjectData
        • 0x6374d:$c: ProjectData
        • 0x11914:$d: DESCrypto
        • 0x6527f:$d: DESCrypto
        • 0x192e0:$e: KeepAlive
        • 0x643df:$e: KeepAlive
        • 0x172ce:$g: LogClientMessage
        • 0x134c9:$i: get_Connected
        • 0x63930:$i: get_Connected
        • 0x11c4a:$j: #=q
        • 0x11c7a:$j: #=q
        • 0x11c96:$j: #=q
        • 0x11cc6:$j: #=q
        00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xf7ad:$x1: NanoCore.ClientPluginHost
        • 0xf7da:$x2: IClientNetworkHost
        Click to see the 49 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          • 0x1643c:$g: LogClientMessage
          • 0x12637:$i: get_Connected
          • 0x10db8:$j: #=q
          • 0x10de8:$j: #=q
          • 0x10e04:$j: #=q
          • 0x10e34:$j: #=q
          • 0x10e50:$j: #=q
          • 0x10e6c:$j: #=q
          • 0x10e9c:$j: #=q
          • 0x10eb8:$j: #=q
          0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe38d:$x1: NanoCore.ClientPluginHost
          • 0xe3ca:$x2: IClientNetworkHost
          • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          Click to see the 107 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5652, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentImage: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentProcessId: 5652, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp', ProcessId: 6336

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeAvira: detection malicious, Label: TR/Spy.Gen8
          Found malware configurationShow sources
          Source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "098e4f4f-7679-4607-961c-79d0e067", "Group": "NEW", "Domain1": "79.134.225.91", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
          Source: 18.2.explorers.exe.449ec58.5.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "aammorris@askoblue.comhbqtHu^3smtp.privateemail.com"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeReversingLabs: Detection: 82%
          Source: C:\Users\user\AppData\Roaming\explorers.exeReversingLabs: Detection: 12%
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeVirustotal: Detection: 30%Perma Link
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeReversingLabs: Detection: 12%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6860000.10.raw.unpa