Edit tour

Windows Analysis Report
UnInstDaemon.exe

Overview

General Information

Sample name:	UnInstDaemon.exe
Analysis ID:	1662984
MD5:	12efa0cf526660fb40b51cd0a6803243
SHA1:	66240015b7a62f3be3a90ebac18e62ded16e87c8
SHA256:	f4f04622550043b143e57dbbdd2029cfcf1bcbc44545ddff76201741e8bd8063
Infos:

Detection

Score:	26
Range:	0 - 100
Confidence:	20%

Signatures

Found potential dummy code loops (likely to delay analysis)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

UnInstDaemon.exe (PID: 7976 cmdline: "C:\Users\user\Desktop\UnInstDaemon.exe" MD5: 12EFA0CF526660FB40B51CD0A6803243)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Source: UnInstDaemon.exe

Static PE information: certificate valid

Source: UnInstDaemon.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\UnInstDaemon.exe	Code function: 4x nop then jmp 00A715ABh		0_2_00A71458
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Code function: 4x nop then jmp 00A715ABh		0_2_00A71449

Source: UnInstDaemon.exe	String found in binary or memory: https://dc.services.visualstudio.com/v2/trackH9116d88d-13b2-4182-8498-4530aac1b83f.Microsoft.BingWal
Source: UnInstDaemon.exe	String found in binary or memory: https://dc.services.visualstudio.com/v2/trackSis

Source: C:\Users\user\Desktop\UnInstDaemon.exe

Process Stats: CPU usage > 49%

Source: UnInstDaemon.exe, 00000000.00000002.3706577552.00000000006F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs UnInstDaemon.exe
Source: UnInstDaemon.exe, 00000000.00000002.3707245382.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs UnInstDaemon.exe

Source: UnInstDaemon.exe, ApplicationInsightsTelemetryService.cs	Suspicious method names: .ApplicationInsightsTelemetryService.BuildEventPayload
Source: UnInstDaemon.exe, ApplicationInsightsTelemetryService.cs	Suspicious method names: .ApplicationInsightsTelemetryService.BuildMetricPayload
Source: UnInstDaemon.exe, ApplicationInsightsTelemetryService.cs	Suspicious method names: .ApplicationInsightsTelemetryService.BuildExceptionPayload

Source: classification engine

Classification label: sus26.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\UnInstDaemon.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Mutant created: \Sessions\1\BaseNamedObjects\bwu-{e200bcf0-fc02-4919-90a0-d3c3daeee66b}

Source: UnInstDaemon.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UnInstDaemon.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\UnInstDaemon.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior

Source: UnInstDaemon.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: UnInstDaemon.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: UnInstDaemon.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: UnInstDaemon.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: UnInstDaemon.exe

Static PE information: 0x8A08C5CF [Thu May 21 14:18:55 2043 UTC]

Source: C:\Users\user\Desktop\UnInstDaemon.exe

Code function: 0_2_00A742D7 push ebx; ret

0_2_00A742DA

Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\UnInstDaemon.exe	Memory allocated: A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Memory allocated: 2440000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\UnInstDaemon.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\UnInstDaemon.exe	Window / User API: threadDelayed 1890			Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Window / User API: threadDelayed 7928			Jump to behavior

Source: C:\Users\user\Desktop\UnInstDaemon.exe TID: 8020	Thread sleep count: 1890 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe TID: 8020	Thread sleep count: 7928 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe TID: 8024	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\UnInstDaemon.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\UnInstDaemon.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\UnInstDaemon.exe

Process Stats: CPU usage > 42% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\UnInstDaemon.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\UnInstDaemon.exe	Queries volume information: C:\Users\user\Desktop\UnInstDaemon.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\System32\WinMetadata\Windows.Management.winmd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\System32\WinMetadata\Windows.Foundation.winmd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\System32\WinMetadata\Windows.ApplicationModel.winmd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\System32\WinMetadata\Windows.System.winmd VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\UnInstDaemon.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	133 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	133 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
UnInstDaemon.exe	0%	Virustotal		Browse
UnInstDaemon.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dc.services.visualstudio.com/v2/trackSis	UnInstDaemon.exe	false		high
https://dc.services.visualstudio.com/v2/trackH9116d88d-13b2-4182-8498-4530aac1b83f.Microsoft.BingWal	UnInstDaemon.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1662984
Start date and time:	2025-04-11 11:33:37 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	UnInstDaemon.exe
Detection:	SUS
Classification:	sus26.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 12 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.1.62.115, 52.149.20.212, 150.171.27.254
Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
05:34:31	API Interceptor	17419633x Sleep call for process: UnInstDaemon.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.178702956029725
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	UnInstDaemon.exe
File size:	50'736 bytes
MD5:	12efa0cf526660fb40b51cd0a6803243
SHA1:	66240015b7a62f3be3a90ebac18e62ded16e87c8
SHA256:	f4f04622550043b143e57dbbdd2029cfcf1bcbc44545ddff76201741e8bd8063
SHA512:	47f29be935eda5bf80c235192721bf6630d983d438dab9cec5b655050727462cc3549c1a52191bb44d02a9a41f962ea9278d8f376f0935eea623872c53094fb5
SSDEEP:	768:MLoYSq4vvB204klZaM/JcQgvRUSIDCCDJOTD+9zGAY:MLXS5H74FQjxD8TWzGAY
TLSH:	8C338F4DB3DC4613E9BF2ABAA87484510F77F567A911D76E0DC894D928A33814D20B3F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40b11e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8A08C5CF [Thu May 21 14:18:55 2043 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/09/2024 22:11:13 11/09/2025 22:11:13
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	951A35417DAF1CB8A4336614BADF5A84
Thumbprint SHA-1:	245D262748012A4FE6CE8BA6C951A4C4AFBC3E5D
Thumbprint SHA-256:	4466ED9AEBC11CA869C22F056DF40297AB3FA8E0A3A12B3698F7E90AF7EF596D
Serial:	3300000403BDD5955D0F3B18AD000000000403

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0cc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x614	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9e00	0x2830
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0b0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9124	0x9200	a4986203065bec262790fe498a908ab1	False	0.4438142123287671	data	5.808217058957112	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x614	0x800	e338c042505c80a6866df2956bbd81df	False	0.3310546875	data	3.4563042031927895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	c7bc3841c1f79f9e603aa0f946939057	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc090	0x384	data			0.41555555555555557
RT_MANIFEST	0xc424	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName	Microsoft Corp.
FileDescription	UnInstDaemon
FileVersion	1.1.390.0
InternalName	UnInstDaemon.exe
LegalCopyright	Copyright Microsoft Corp. 2024
LegalTrademarks
OriginalFilename	UnInstDaemon.exe
ProductName	UnInstDaemon
ProductVersion	1.1.390.0
Assembly Version	1.1.390.0

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 11, 2025 11:35:08.675548077 CEST	53	65084	162.159.36.2	192.168.2.5

Statistics

CPU Usage

• UnInstDaemon.exe

Click to jump to process

Memory Usage

• UnInstDaemon.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

System Behavior

Analysis Process: UnInstDaemon.exePID: 7976, Parent PID: 3084

Function Logs

General

Target ID:	0
Start time:	05:34:25
Start date:	11/04/2025
Path:	C:\Users\user\Desktop\UnInstDaemon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UnInstDaemon.exe"
Imagebase:	0x2d0000
File size:	50'736 bytes
MD5 hash:	12EFA0CF526660FB40B51CD0A6803243
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

File Created

File Read

File Attributes Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread APC Queued

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: UnInstDaemon.exePID: 7976, Parent PID: 3084COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25.9%
Total number of Nodes:	27
Total number of Limit Nodes:	0

Executed Functions

Function 00A71449 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3707198410.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f28a7f938f8c36eeaa8e5ef8da01df156f069a6853f5f1100bfa11776be2fb0
Instruction ID: 220c56a7f11cf1df8e1e54d9ffb7cb32dc5bcd2cfaf77bb268d730a431aa6987
Opcode Fuzzy Hash: 0f28a7f938f8c36eeaa8e5ef8da01df156f069a6853f5f1100bfa11776be2fb0
Instruction Fuzzy Hash: 2941CA74D00218CFDB18DFE9D984AEDBBF2BB89300F24812AE409AB264D7355986CF14

Function 00A71458 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3707198410.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb593088a4b3886085564ea20f95b6545cb4ec4e3c2a0591228a7c9c6622237
Instruction ID: b933dbf3e218d173133d93a81f3bff3d70ccc8a6988a98ca4e6d9e90dbfbac6e
Opcode Fuzzy Hash: ceb593088a4b3886085564ea20f95b6545cb4ec4e3c2a0591228a7c9c6622237
Instruction Fuzzy Hash: 8F41AB75D01218CFDB18DFE9D984ADDBBF2AF89300F20812AE419BB264D7355946CF14

Function 00A7A8B0 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A7B003

Memory Dump Source

Source File: 00000000.00000002.3707198410.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_UnInstDaemon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7fa9afc070bc0d0f07d0a198933ce33fbef80c3a89a1cd4d9dd913e3742986a5
Instruction ID: f66555d6158ed61a559f89511a734d39d1ec3a3910297672b0911bbc4b1593f8
Opcode Fuzzy Hash: 7fa9afc070bc0d0f07d0a198933ce33fbef80c3a89a1cd4d9dd913e3742986a5
Instruction Fuzzy Hash: 8D4176B9D002589FCF10CFA9D984ADEBBF5BB19310F14906AE918BB310D335A945DFA4

Function 00A7AF30 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A7B003

Memory Dump Source

Source File: 00000000.00000002.3707198410.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_UnInstDaemon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 986f3a08db475b23c6343f5f9ae741c75e407eab1aff2e3e661cc9b3a2f37c0d
Instruction ID: 8aaee132b39d193059c16805a03c3569263f58369b64443eedc63cd6a7207aa6
Opcode Fuzzy Hash: 986f3a08db475b23c6343f5f9ae741c75e407eab1aff2e3e661cc9b3a2f37c0d
Instruction Fuzzy Hash: 314166B9D002589FCB10CFA9D984ADEBFF5BB09310F14902AE918BB310D375A945CF64

Function 00A70C24 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserGeoID.KERNELBASE(?), ref: 00A7164E

Memory Dump Source

Source File: 00000000.00000002.3707198410.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_UnInstDaemon.jbxd

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: 96335287807cf75df4e017bfc9565bf7c78a8934612a87b151dface43a860e3a
Instruction ID: aaaa9401656323ec27e9e06f49b2a36eba2ad37d50e88659d5b274f200c377aa
Opcode Fuzzy Hash: 96335287807cf75df4e017bfc9565bf7c78a8934612a87b151dface43a860e3a
Instruction Fuzzy Hash: 543199B8D002589FCB10CFA9D984ADEFBF4EB49314F24906AE918B7310D775A945CFA4

Function 00A715C8 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserGeoID.KERNELBASE(?), ref: 00A7164E

Memory Dump Source

Source File: 00000000.00000002.3707198410.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_UnInstDaemon.jbxd

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: f8f5436a56e9e6979b7705e15fa6295b8861f2753fca239ddee21e0546cc9051
Instruction ID: 2f0e4c41847628db3e7a137942a53452fd2b50820fef2ce60f183b358c290e2f
Opcode Fuzzy Hash: f8f5436a56e9e6979b7705e15fa6295b8861f2753fca239ddee21e0546cc9051
Instruction Fuzzy Hash: CB3199B8D002589FCB10CFA9D984ADEFBF4BB49314F24906AE918B7310D735A945CFA4

Function 0089D740 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3706774595.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89d000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db48a151adaefef5ead8f8875d5f5491be92ed9d95510404872a2dcc28076acb
Instruction ID: 587c8c9d67f343954dc5e67cb90e9b7460c69cc7a7081132c7721aae83eb0c09
Opcode Fuzzy Hash: db48a151adaefef5ead8f8875d5f5491be92ed9d95510404872a2dcc28076acb
Instruction Fuzzy Hash: DB213772504304EFDF15EF54D9C0B26BF65FB88324F28C569E9098B256C336D816CBA2

Function 008AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3706818804.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ad000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a65cb14ec1b01f82340171db51d782cac9f771d9d476ed59e2c7d43c9d7281
Instruction ID: b8092f66a2c9a0773522bdd3bb3ed8e1edb72832cd38702657a621e68576c7d4
Opcode Fuzzy Hash: d3a65cb14ec1b01f82340171db51d782cac9f771d9d476ed59e2c7d43c9d7281
Instruction Fuzzy Hash: E4212271604704DFEB15DF24D980B26BB65FB89314F20C569E90ACBA86C33AD807CA61

Function 008AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3706818804.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ad000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92a6ffe031441b7138e50cb6c61bdf6187c4c617e927d528423a5e0d4c2972b
Instruction ID: 5d55c87716ea5d519952f7cf54c9582df4936efa8f604ea9a274eda0276272e5
Opcode Fuzzy Hash: c92a6ffe031441b7138e50cb6c61bdf6187c4c617e927d528423a5e0d4c2972b
Instruction Fuzzy Hash: 60214F755087809FDB02CF24D994B11BF71FB46314F28C5EAD8498F6A7C33A985ACB62

Function 0089D73B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3706774595.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89d000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68199e4efcf8fe5faf796e1eb00fdac1bd40fbc6b1f5683208f03f6d852d321
Instruction ID: 09d41df29ae7190552f68f194f9495c1330b868d8f93adf9aa249b06213b9420
Opcode Fuzzy Hash: e68199e4efcf8fe5faf796e1eb00fdac1bd40fbc6b1f5683208f03f6d852d321
Instruction Fuzzy Hash: 1D11E176504280DFCF12DF54D5C0B16BF71FB84310F28C5A9D8094B256C33AD85ACBA1

Function 0089D055 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3706774595.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89d000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1482310a84a8d4917ad321615d0e56c72d0aed1743c6392710e3a4f75ebeeb
Instruction ID: 48b2edfa4f4a40a0071a5fef2be390085c5d5125e981e69cc2b143bf6472bb5a
Opcode Fuzzy Hash: 9b1482310a84a8d4917ad321615d0e56c72d0aed1743c6392710e3a4f75ebeeb
Instruction Fuzzy Hash: B101A7714057449AEB21AB25CD84B67BF98FF91334F2CC41AED098B282C2799842CAB5

Function 0089D054 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3706774595.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89d000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe4d0e2b3a566c93fae331a15ab2117eb1d9c43bf2d2007eb2fec8dade0b730
Instruction ID: f45163bf132e36c0ccac130af391d8de0581ed96fcf300b8ad0c447f8406e9f2
Opcode Fuzzy Hash: bbe4d0e2b3a566c93fae331a15ab2117eb1d9c43bf2d2007eb2fec8dade0b730
Instruction Fuzzy Hash: 2FF0C271404344AEEB108F19CD84B62FF98FB91324F28C45BED084B286C2799841CAB1

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UnInstDaemon.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: UnInstDaemon.exePID: 7976, Parent PID: 3084

General

File Activities

File Opened

File Created

File Read

File Attributes Queried

Windows Analysis Report
UnInstDaemon.exe

Function 00A7A8B0 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Function 00A7AF30 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Function 00A70C24 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Function 00A715C8 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON