Automated Malware Analysis IOC Report for

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.948001089404294
Filename:	USBRecoveryCreator.exe
Filesize:	74500240
MD5:	23a460c02cc1b3b220ecb54cbd974a6a
SHA1:	ece022c7d45ccf9afd5b72c33f1dcfc85a42c204
SHA256:	dc86aed4873dbb3cef993c84533d83efc4ad35150ae32c15d22c40adbb511c43
SHA512:	333aebed6643bd38e2fbe052e1d31c36ba2f5c828defb699d50b700e475fe9fe2175eaed244eb1bef292dc7f6f34461802e924f5a9f4177f03760ad05af6be18
SSDEEP:	1572864:o7lbWgSb6k8QLc49MATBx3zUUCKfhFPON+VoUAYTjeWmoUHQArfLeq:gBSbvTZmAT3wUTKUbTmoUwCD
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o..P..,P..,P..,YvK,D..,.{.-C..,.{.-M..,.{.-...,.\|.-X..,.\|.-]..,P..,[..,.{.-V..,.{.-...,.{.-Q..,.{.-Q..,RichP..,...............

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary	Masquerading
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\0ba7d819-f360-4626-b4fb-4b6a653ac16c.tmp
Category:	dropped
Dump:	0ba7d819-f360-4626-b4fb-4b6a653ac16c.tmp.10.dr
ID:	dr_80
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	6.072353008075773
Encrypted:	false
Size:	16243
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\246e527c-8108-42ea-be7a-ff7f7c6b46e4.tmp
Category:	modified
Dump:	246e527c-8108-42ea-be7a-ff7f7c6b46e4.tmp.10.dr
ID:	dr_85
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	6.067214133779568
Encrypted:	false
Size:	17477
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\3f2621aa-bb61-4f6d-9263-164c8242a7de.tmp
Category:	dropped
Dump:	3f2621aa-bb61-4f6d-9263-164c8242a7de.tmp.10.dr
ID:	dr_32
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	5.457602145833757
Encrypted:	false
Size:	2054
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\5301e1b9-15c2-49f0-95dd-104cd89f2234.tmp
Category:	dropped
Dump:	5301e1b9-15c2-49f0-95dd-104cd89f2234.tmp.10.dr
ID:	dr_34
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	5.29175198715765
Encrypted:	false
Size:	2901
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp
Category:	dropped
Dump:	6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
ID:	dr_26
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	5.697368202273589
Encrypted:	false
Size:	951
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\BrowserMetrics-spare.pma (copy)
Category:	dropped
Dump:	BrowserMetrics-spare.pma.tmp.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\BrowserMetrics-spare.pma.tmp
Category:	dropped
Dump:	BrowserMetrics-spare.pma.tmp.10.dr
ID:	dr_86
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Size:	1310720
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Crashpad\settings.dat
Category:	dropped
Dump:	settings.dat.10.dr
ID:	dr_24
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	1.8873942837026088
Encrypted:	false
Size:	280
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Crashpad\throttle_store.dat
Category:	dropped
Dump:	throttle_store.dat.10.dr
ID:	dr_23
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text
Entropy:	3.6219280948873624
Encrypted:	false
Size:	20
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\027a0f36-1d5f-43db-80d9-0c51c5940405.tmp
Category:	dropped
Dump:	027a0f36-1d5f-43db-80d9-0c51c5940405.tmp.10.dr
ID:	dr_17
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	5.580537754134039
Encrypted:	false
Size:	6780
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\38a36b08-5554-42c3-af0c-8cf1267052d7.tmp
Category:	dropped
Dump:	38a36b08-5554-42c3-af0c-8cf1267052d7.tmp.10.dr
ID:	dr_84
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	4.859838656668776
Encrypted:	false
Size:	6495
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\39f80b5e-f713-4e1b-86f3-4ccef2e12912.tmp
Category:	dropped
Dump:	39f80b5e-f713-4e1b-86f3-4ccef2e12912.tmp.10.dr
ID:	dr_18
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	4.836106496442749
Encrypted:	false
Size:	5905
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\42d11d95-a355-4f26-a41f-510a537d3e4c.tmp
Category:	dropped
Dump:	42d11d95-a355-4f26-a41f-510a537d3e4c.tmp.10.dr
ID:	dr_79
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	4.856830977544024
Encrypted:	false
Size:	6393
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\data_0
Category:	dropped
Dump:	data_0.13.dr
ID:	dr_92
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	0.25265355233628506
Encrypted:	false
Size:	45056
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\data_1
Category:	dropped
Dump:	data_10.13.dr
ID:	dr_93
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	0.5043132015940609
Encrypted:	false
Size:	270336
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\data_2
Category:	dropped
Dump:	data_20.13.dr
ID:	dr_94
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	0.4660234612505231
Encrypted:	false
Size:	1056768
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\data_3
Category:	dropped
Dump:	data_3.13.dr
ID:	dr_95
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	0.596348794073559
Encrypted:	false
Size:	4202496
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000001
Category:	dropped
Dump:	f_000001.13.dr
ID:	dr_59
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	Unicode text, UTF-8 text, with very long lines (49130), with no line terminators
Entropy:	5.2263689873475805
Encrypted:	false
Size:	49132
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000002
Category:	dropped
Dump:	f_000002.13.dr
ID:	dr_60
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text, with very long lines (3396)
Entropy:	5.537081313027966
Encrypted:	false
Size:	213738
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000003
Category:	dropped
Dump:	f_000003.13.dr
ID:	dr_61
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text, with very long lines (5945)
Entropy:	5.575008771882825
Encrypted:	false
Size:	302013
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000004
Category:	dropped
Dump:	f_000004.13.dr
ID:	dr_62
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	Unicode text, UTF-8 text, with very long lines (51681), with no line terminators
Entropy:	5.709022809150113
Encrypted:	false
Size:	51737
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000005
Category:	dropped
Dump:	f_000005.13.dr
ID:	dr_63
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text, with very long lines (22564), with no line terminators
Entropy:	4.914327749178371
Encrypted:	false
Size:	22564
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000006
Category:	dropped
Dump:	f_000006.13.dr
ID:	dr_64
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	C source, Unicode text, UTF-8 text, with very long lines (28643), with no line terminators
Entropy:	5.56467374089227
Encrypted:	false
Size:	28649
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000007
Category:	dropped
Dump:	f_000007.13.dr
ID:	dr_65
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	Unicode text, UTF-8 text, with very long lines (25453), with no line terminators
Entropy:	5.210289774391241
Encrypted:	false
Size:	25461
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000008
Category:	dropped
Dump:	f_000008.13.dr
ID:	dr_69
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	HTML document, ASCII text, with very long lines (32769)
Entropy:	5.371945023505273
Encrypted:	false
Size:	93867
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000009
Category:	dropped
Dump:	f_000009.13.dr
ID:	dr_70
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	5.888138810089
Encrypted:	false
Size:	307328
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_00000a
Category:	dropped
Dump:	f_00000a.13.dr
ID:	dr_71
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text, with very long lines (724)
Entropy:	5.646059185430787
Encrypted:	false
Size:	551834
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_00000b
Category:	dropped
Dump:	f_00000b.13.dr
ID:	dr_82
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text, with very long lines (65536), with no line terminators
Entropy:	6.022413301778022
Encrypted:	false
Size:	78840
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\index
Category:	dropped
Dump:	index.13.dr
ID:	dr_67
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Entropy:	4.989325630401085E-4
Encrypted:	false
Size:	524656
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\012edbef7abcf9c9_0
Category:	dropped
Dump:	012edbef7abcf9c9_0.10.dr
ID:	dr_22
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	5.597244278034834
Encrypted:	false
Size:	259
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\01627f27fb7071ca_0
Category:	dropped
Dump:	01627f27fb7071ca_0.10.dr
ID:	dr_48
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	5.503249529812329
Encrypted:	false
Size:	219
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\1493379f364199af_0
Category:	dropped
Dump:	1493379f364199af_0.10.dr
ID:	dr_53
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	5.329216821969306
Encrypted:	false
Size:	230
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\5639aaefef9788b1_0
Category:	dropped
Dump:	5639aaefef9788b1_0.10.dr
ID:	dr_54
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	5.459232892716585
Encrypted:	false
Size:	241
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\56ff516abbc097e3_0
Category:	dropped
Dump:	56ff516abbc097e3_0.10.dr
ID:	dr_21
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	5.486935389361818
Encrypted:	false
Size:	249
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\57587f1582d66016_0
Category:	dropped
Dump:	57587f1582d66016_0.10.dr
ID:	dr_75
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	5.597915883121067
Encrypted:	false
Size:	240
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\5e6b352005ba6b9c_0
Category:	dropped
Dump:	5e6b352005ba6b9c_0.10.dr
ID:	dr_73
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	5.4980919158215285
Encrypted:	false
Size:	249
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\735bf054f08dabfd_0
Category:	dropped
Dump:	735bf054f08dabfd_0.10.dr
ID:	dr_50
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	5.43827034976762
Encrypted:	false
Size:	221
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\90b10fdbbf5e582a_0
Category:	dropped
Dump:	90b10fdbbf5e582a_0.10.dr
ID:	dr_51
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	5.291663433457455
Encrypted:	false
Size:	230
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\af91641539dc4e3a_0
Category:	dropped
Dump:	af91641539dc4e3a_0.10.dr
ID:	dr_52
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	5.3556507022103546
Encrypted:	false
Size:	246
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\c43927c4ca8e9a6d_0
Category:	dropped
Dump:	c43927c4ca8e9a6d_0.10.dr
ID:	dr_49
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	5.371845171584791
Encrypted:	false
Size:	239
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\d988bfbda8695bb4_0
Category:	dropped
Dump:	d988bfbda8695bb4_0.10.dr
ID:	dr_20
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	5.739579419347498
Encrypted:	false
Size:	262
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\temp-index
Category:	dropped
Dump:	temp-index1.10.dr
ID:	dr_81
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	x86 executable not stripped
Entropy:	4.792426332417204
Encrypted:	false
Size:	336
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index (copy)
Category:	dropped
Dump:	temp-index0.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RF4d0d28.TMP (copy)
Category:	dropped
Dump:	temp-index0.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\wasm\index
Category:	dropped
Dump:	index0.10.dr
ID:	dr_33
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	2.1431558784658327
Encrypted:	false
Size:	24
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\wasm\index-dir\temp-index
Category:	dropped
Dump:	temp-index.10.dr
ID:	dr_35
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	2.9972243200613975
Encrypted:	false
Size:	48
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\wasm\index-dir\the-real-index (copy)
Category:	dropped
Dump:	temp-index.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\DawnCache\data_1
Category:	dropped
Dump:	data_10.10.dr
ID:	dr_91
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	8.280239615765425E-4
Encrypted:	false
Size:	270336
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\DawnCache\index
Category:	dropped
Dump:	index2.10.dr
ID:	dr_39
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Entropy:	9.47693366977411E-4
Encrypted:	false
Size:	262512
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\GPUCache\data_0
Category:	dropped
Dump:	data_00.10.dr
ID:	dr_88
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	dBase III DBT, next free block index 3238316739, block length 1024
Entropy:	0.028444322673708927
Encrypted:	false
Size:	45056
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\GPUCache\data_1
Category:	dropped
Dump:	data_1.10.dr
ID:	dr_89
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	0.03907509111859803
Encrypted:	false
Size:	270336
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\GPUCache\data_2
Category:	dropped
Dump:	data_2.10.dr
ID:	dr_90
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	dBase III DBT, next free block index 3238316739, block length 1024
Entropy:	0.08376133919497868
Encrypted:	false
Size:	1056768
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\GPUCache\index
Category:	dropped
Dump:	index1.10.dr
ID:	dr_38
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Entropy:	9.553120663130604E-4
Encrypted:	false
Size:	262512
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\56a46b80-df69-4b5d-9cb8-3182e24c6565.tmp
Category:	dropped
Dump:	56a46b80-df69-4b5d-9cb8-3182e24c6565.tmp.13.dr
ID:	dr_66
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	1.0
Encrypted:	false
Size:	2
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\65442db1-2f61-4545-a6d0-61bd377815a9.tmp
Category:	dropped
Dump:	65442db1-2f61-4545-a6d0-61bd377815a9.tmp.13.dr
ID:	dr_87
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	5.252848960418791
Encrypted:	false
Size:	1803
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\7a58ac41-47c3-4414-b6ee-90555ae92473.tmp
Category:	dropped
Dump:	7a58ac41-47c3-4414-b6ee-90555ae92473.tmp.13.dr
ID:	dr_57
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	4.1275671571169275
Encrypted:	false
Size:	40
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\Network Persistent State (copy)
Category:	dropped
Dump:	e8b728ca-a013-4d5a-b2df-97ac4ad0c62d.tmp.13.dr
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\Network Persistent State~RF4d1333.TMP (copy)
Category:	dropped
Dump:	e8b728ca-a013-4d5a-b2df-97ac4ad0c62d.tmp.13.dr
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\Network Persistent State~RF4d812f.TMP (copy)
Category:	dropped
Dump:	e8b728ca-a013-4d5a-b2df-97ac4ad0c62d.tmp.13.dr
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\SCT Auditing Pending Reports (copy)
Category:	dropped
Dump:	56a46b80-df69-4b5d-9cb8-3182e24c6565.tmp.13.dr
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\SCT Auditing Pending Reports~RF4c638a.TMP (copy)
Category:	dropped
Dump:	56a46b80-df69-4b5d-9cb8-3182e24c6565.tmp.13.dr
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\Sdch Dictionaries (copy)
Category:	dropped
Dump:	7a58ac41-47c3-4414-b6ee-90555ae92473.tmp.13.dr
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\d0f21931-ace5-4cde-9bcf-4e0b07f57c1b.tmp
Category:	modified
Dump:	d0f21931-ace5-4cde-9bcf-4e0b07f57c1b.tmp.13.dr
ID:	dr_83
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	4.619434150836742
Encrypted:	false
Size:	59
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\e8b728ca-a013-4d5a-b2df-97ac4ad0c62d.tmp
Category:	dropped
Dump:	e8b728ca-a013-4d5a-b2df-97ac4ad0c62d.tmp.13.dr
ID:	dr_58
Target ID:	13
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	4.619434150836742
Encrypted:	false
Size:	59
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Preferences (copy)
Category:	dropped
Dump:	39f80b5e-f713-4e1b-86f3-4ccef2e12912.tmp.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Preferences~RF4cbb30.TMP (copy)
Category:	dropped
Dump:	39f80b5e-f713-4e1b-86f3-4ccef2e12912.tmp.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Preferences~RF4cee17.TMP (copy)
Category:	dropped
Dump:	39f80b5e-f713-4e1b-86f3-4ccef2e12912.tmp.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Preferences~RF4d75c5.TMP (copy)
Category:	dropped
Dump:	39f80b5e-f713-4e1b-86f3-4ccef2e12912.tmp.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\PreferredApps
Category:	dropped
Dump:	PreferredApps.10.dr
ID:	dr_78
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	4.051821770808046
Encrypted:	false
Size:	33
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\README
Category:	dropped
Dump:	README.10.dr
ID:	dr_29
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text, with no line terminators
Entropy:	4.2629097520179995
Encrypted:	false
Size:	182
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Secure Preferences (copy)
Category:	dropped
Dump:	027a0f36-1d5f-43db-80d9-0c51c5940405.tmp.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Site Characteristics Database\000001.dbtmp
Category:	dropped
Dump:	000001.dbtmp.10.dr
ID:	dr_31
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text
Entropy:	3.2743974703476995
Encrypted:	false
Size:	16
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Site Characteristics Database\CURRENT (copy)
Category:	dropped
Dump:	000001.dbtmp.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001
Category:	dropped
Dump:	MANIFEST-000001.10.dr
ID:	dr_37
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	OpenPGP Secret Key
Entropy:	4.704993772857998
Encrypted:	false
Size:	41
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\b9ef0d62-b181-4573-a293-e03534377839.tmp
Category:	dropped
Dump:	b9ef0d62-b181-4573-a293-e03534377839.tmp.10.dr
ID:	dr_74
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	4.856913687531697
Encrypted:	false
Size:	6159
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\GrShaderCache\index
Category:	dropped
Dump:	index3.10.dr
ID:	dr_43
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Entropy:	9.553120663130604E-4
Encrypted:	false
Size:	262512
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\GraphiteDawnCache\data_0
Category:	dropped
Dump:	data_0.10.dr
ID:	dr_56
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Entropy:	0.01057775872642915
Encrypted:	false
Size:	8192
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\GraphiteDawnCache\index
Category:	dropped
Dump:	index4.10.dr
ID:	dr_55
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Entropy:	9.553120663130604E-4
Encrypted:	false
Size:	262512
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Last Version
Category:	dropped
Dump:	Last Version.10.dr
ID:	dr_28
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text, with no line terminators
Entropy:	2.7192945256669794
Encrypted:	false
Size:	13
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State (copy)
Category:	dropped
Dump:	6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4c6213.TMP (copy)
Category:	dropped
Dump:	6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4c6261.TMP (copy)
Category:	dropped
Dump:	6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4c8952.TMP (copy)
Category:	dropped
Dump:	6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4ceec3.TMP (copy)
Category:	dropped
Dump:	6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4d75c5.TMP (copy)
Category:	dropped
Dump:	6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\ShaderCache\data_3
Category:	dropped
Dump:	data_3.10.dr
ID:	dr_30
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	0.012340643231932763
Encrypted:	false
Size:	8192
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\ShaderCache\index
Category:	dropped
Dump:	index.10.dr
ID:	dr_27
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Entropy:	9.553120663130604E-4
Encrypted:	false
Size:	262512
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\customSettings
Category:	dropped
Dump:	customSettings.10.dr
ID:	dr_44
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text, with no line terminators
Entropy:	4.3818353308528755
Encrypted:	false
Size:	47
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14
Category:	dropped
Dump:	customSettings_F95BA787499AB4FA9EFFF472CE383A14.10.dr
ID:	dr_45
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	4.014438730983427
Encrypted:	false
Size:	35
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\customSynchronousLookupUris
Category:	dropped
Dump:	customSynchronousLookupUris.10.dr
ID:	dr_41
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text, with no line terminators
Entropy:	3.922828737239167
Encrypted:	false
Size:	29
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\customSynchronousLookupUris_0
Category:	dropped
Dump:	customSynchronousLookupUris_0.10.dr
ID:	dr_42
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	7.99333285466604
Encrypted:	true
Size:	35302
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\edgeSettings
Category:	dropped
Dump:	edgeSettings.10.dr
ID:	dr_15
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text, with no line terminators
Entropy:	3.5724312513221195
Encrypted:	false
Size:	18
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\edgeSettings_2.0-0
Category:	dropped
Dump:	edgeSettings_2.0-0.10.dr
ID:	dr_16
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	4.459693941095613
Encrypted:	false
Size:	3581
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\synchronousLookupUris
Category:	dropped
Dump:	synchronousLookupUris.10.dr
ID:	dr_40
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text, with no line terminators
Entropy:	4.493433469104717
Encrypted:	false
Size:	47
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\topTraffic
Category:	dropped
Dump:	topTraffic.10.dr
ID:	dr_46
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	ASCII text, with no line terminators
Entropy:	3.9904355005135823
Encrypted:	false
Size:	50
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371
Category:	dropped
Dump:	topTraffic_170540185939602997400506234197983529371.10.dr
ID:	dr_47
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	7.999649474060713
Encrypted:	true
Size:	575056
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Variations
Category:	dropped
Dump:	Variations.10.dr
ID:	dr_25
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	4.3751917412896075
Encrypted:	false
Size:	86
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\d0eb52f5-0d88-4b3a-8151-07a3b526ecd4.tmp
Category:	dropped
Dump:	d0eb52f5-0d88-4b3a-8151-07a3b526ecd4.tmp.10.dr
ID:	dr_19
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	JSON data
Entropy:	5.274396304706787
Encrypted:	false
Size:	3425
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary	System Information Discovery
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\ProgramData\Lenovo\USBRecoveryCreator\Patch.zip
Category:	modified
Dump:	Patch.zip.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=store
Entropy:	7.998646744279036
Encrypted:	true
Size:	5048993
Whitelisted:	false

Details

File:	C:\ProgramData\Lenovo\USBRecoveryCreator\SanitizerOptions.json
Category:	dropped
Dump:	SanitizerOptions.json.0.dr
ID:	dr_14
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Entropy:	3.544734095128017
Encrypted:	false
Size:	911
Whitelisted:	false

Details

File:	C:\ProgramData\Lenovo\USBRecoveryCreator\ThirdPartyNotices.txt
Category:	dropped
Dump:	ThirdPartyNotices.txt.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	Unicode text, UTF-8 text, with very long lines (755), with CRLF line terminators
Entropy:	5.188380685218441
Encrypted:	false
Size:	94420
Whitelisted:	false

Details

File:	C:\ProgramData\Lenovo\USBRecoveryCreator\USBComponent.dll
Category:	dropped
Dump:	USBComponent.dll.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.415661387821956
Encrypted:	false
Size:	179472
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\ProgramData\Lenovo\USBRecoveryCreator\msvcp140.dll
Category:	dropped
Dump:	msvcp140.dll.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	6.693790505404224
Encrypted:	false
Size:	448408
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\ProgramData\Lenovo\USBRecoveryCreator\vcruntime140.dll
Category:	dropped
Dump:	vcruntime140.dll.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	6.936349345750277
Encrypted:	false
Size:	90520
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Category:	dropped
Dump:	5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres.10.dr
ID:	dr_77
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	3.850625322628129
Encrypted:	false
Size:	2278
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres
Category:	dropped
Dump:	e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres.10.dr
ID:	dr_76
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Type:	data
Entropy:	3.912879467044931
Encrypted:	false
Size:	2684
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\D3DCompiler_47_cor3.dll
Category:	dropped
Dump:	D3DCompiler_47_cor3.dll.0.dr
ID:	dr_7
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	6.577665867424953
Encrypted:	false
Size:	4127200
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Details

File:	C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\Lenovo.CertificateValidation.Native.dll
Category:	dropped
Dump:	Lenovo.CertificateValidation.Native.dll.0.dr
ID:	dr_12
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.5270976270211145
Encrypted:	false
Size:	308120
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\PenImc_cor3.dll
Category:	dropped
Dump:	PenImc_cor3.dll.0.dr
ID:	dr_8
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.44368804805963
Encrypted:	false
Size:	145584
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\PresentationNative_cor3.dll
Category:	dropped
Dump:	PresentationNative_cor3.dll.0.dr
ID:	dr_9
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.31976158432139
Encrypted:	false
Size:	945840
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\WebView2Loader.dll
Category:	dropped
Dump:	WebView2Loader.dll1.0.dr
ID:	dr_13
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	6.470572997559548
Encrypted:	false
Size:	115624
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\runtimes\win-arm64\native\WebView2Loader.dll
Category:	dropped
Dump:	WebView2Loader.dll0.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	PE32+ executable (DLL) (console) Aarch64, for MS Windows
Entropy:	6.08860710021013
Encrypted:	false
Size:	135656
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\runtimes\win-x64\native\WebView2Loader.dll
Category:	dropped
Dump:	WebView2Loader.dll.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy:	6.183536777437394
Encrypted:	false
Size:	160184
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\vcruntime140_cor3.dll
Category:	dropped
Dump:	vcruntime140_cor3.dll.0.dr
ID:	dr_10
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	6.94127019484021
Encrypted:	false
Size:	90520
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\wpfgfx_cor3.dll
Category:	dropped
Dump:	wpfgfx_cor3.dll.0.dr
ID:	dr_11
Target ID:	0
Process:	C:\Users\user\Desktop\USBRecoveryCreator.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.558105251240892
Encrypted:	false
Size:	1804976
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
USBRecoveryCreator.exe

Files

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportUSBRecoveryCreator.exe

Files

Domains

IPs

IOC Report
USBRecoveryCreator.exe