Edit tour

Windows Analysis Report
UnInstDaemon.exe

Overview

General Information

Sample name:	UnInstDaemon.exe
Analysis ID:	1662984
MD5:	12efa0cf526660fb40b51cd0a6803243
SHA1:	66240015b7a62f3be3a90ebac18e62ded16e87c8
SHA256:	f4f04622550043b143e57dbbdd2029cfcf1bcbc44545ddff76201741e8bd8063
Infos:

Detection

Score:	25
Range:	0 - 100
Confidence:	20%

Signatures

Found potential dummy code loops (likely to delay analysis)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64native

UnInstDaemon.exe (PID: 1132 cmdline: "C:\Users\TEMP\Desktop\UnInstDaemon.exe" MD5: 12EFA0CF526660FB40B51CD0A6803243)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Source: UnInstDaemon.exe

Static PE information: certificate valid

Source: UnInstDaemon.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Code function: 4x nop then jmp 027411ABh	0_2_02741058
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_02745CB8
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Code function: 4x nop then jmp 027411ABh	0_2_02741048
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_02745CAE

Source: UnInstDaemon.exe	String found in binary or memory: https://dc.services.visualstudio.com/v2/trackH9116d88d-13b2-4182-8498-4530aac1b83f.Microsoft.BingWal
Source: UnInstDaemon.exe	String found in binary or memory: https://dc.services.visualstudio.com/v2/trackSis

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe

Process Stats: CPU usage > 6%

Source: UnInstDaemon.exe, 00000000.00000002.860627777946.00000000008FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs UnInstDaemon.exe

Source: UnInstDaemon.exe, ApplicationInsightsTelemetryService.cs	Suspicious method names: .ApplicationInsightsTelemetryService.BuildEventPayload
Source: UnInstDaemon.exe, ApplicationInsightsTelemetryService.cs	Suspicious method names: .ApplicationInsightsTelemetryService.BuildMetricPayload
Source: UnInstDaemon.exe, ApplicationInsightsTelemetryService.cs	Suspicious method names: .ApplicationInsightsTelemetryService.BuildExceptionPayload

Source: classification engine

Classification label: sus25.evad.winEXE@1/0@0/0

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Mutant created: NULL
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Mutant created: \Sessions\1\BaseNamedObjects\bwu-{e200bcf0-fc02-4919-90a0-d3c3daeee66b}

Source: UnInstDaemon.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UnInstDaemon.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior

Source: UnInstDaemon.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: UnInstDaemon.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: UnInstDaemon.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: UnInstDaemon.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: UnInstDaemon.exe

Static PE information: 0x8A08C5CF [Thu May 21 14:18:55 2043 UTC]

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Memory allocated: 2700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe

Window / User API: threadDelayed 9943

Jump to behavior

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe TID: 5564	Thread sleep count: 9943 > 30			Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe TID: 1048	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe

Process Stats: CPU usage > 5% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Queries volume information: C:\Users\TEMP\Desktop\UnInstDaemon.exe VolumeInformation	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\System32\WinMetadata\Windows.Management.winmd VolumeInformation	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\System32\WinMetadata\Windows.Foundation.winmd VolumeInformation	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\System32\WinMetadata\Windows.ApplicationModel.winmd VolumeInformation	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.WindowsRuntime.dll VolumeInformation	Jump to behavior
Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe	Queries volume information: C:\Windows\System32\WinMetadata\Windows.System.winmd VolumeInformation	Jump to behavior

Source: C:\Users\TEMP\Desktop\UnInstDaemon.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	133 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	133 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
UnInstDaemon.exe	0%	ReversingLabs
UnInstDaemon.exe	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dc.services.visualstudio.com/v2/trackSis	UnInstDaemon.exe	false		high
https://dc.services.visualstudio.com/v2/trackH9116d88d-13b2-4182-8498-4530aac1b83f.Microsoft.BingWal	UnInstDaemon.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1662984
Start date and time:	2025-04-11 11:40:31 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	UnInstDaemon.exe
Detection:	SUS
Classification:	sus25.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 52.111.229.19, 20.42.73.30
Excluded domains from analysis (whitelisted): self.events.data.microsoft.com, ctldl.windowsupdate.com, nexusrules.officeapps.live.com

Simulations

Behavior and APIs

Time	Type	Description
05:42:42	API Interceptor	30512704x Sleep call for process: UnInstDaemon.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.178702956029725
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	UnInstDaemon.exe
File size:	50'736 bytes
MD5:	12efa0cf526660fb40b51cd0a6803243
SHA1:	66240015b7a62f3be3a90ebac18e62ded16e87c8
SHA256:	f4f04622550043b143e57dbbdd2029cfcf1bcbc44545ddff76201741e8bd8063
SHA512:	47f29be935eda5bf80c235192721bf6630d983d438dab9cec5b655050727462cc3549c1a52191bb44d02a9a41f962ea9278d8f376f0935eea623872c53094fb5
SSDEEP:	768:MLoYSq4vvB204klZaM/JcQgvRUSIDCCDJOTD+9zGAY:MLXS5H74FQjxD8TWzGAY
TLSH:	8C338F4DB3DC4613E9BF2ABAA87484510F77F567A911D76E0DC894D928A33814D20B3F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40b11e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8A08C5CF [Thu May 21 14:18:55 2043 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/09/2024 22:11:13 11/09/2025 22:11:13
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	951A35417DAF1CB8A4336614BADF5A84
Thumbprint SHA-1:	245D262748012A4FE6CE8BA6C951A4C4AFBC3E5D
Thumbprint SHA-256:	4466ED9AEBC11CA869C22F056DF40297AB3FA8E0A3A12B3698F7E90AF7EF596D
Serial:	3300000403BDD5955D0F3B18AD000000000403

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0cc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x614	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9e00	0x2830
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0b0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9124	0x9200	a4986203065bec262790fe498a908ab1	False	0.4438142123287671	data	5.808217058957112	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x614	0x800	e338c042505c80a6866df2956bbd81df	False	0.3310546875	data	3.4563042031927895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	c7bc3841c1f79f9e603aa0f946939057	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc090	0x384	data			0.41555555555555557
RT_MANIFEST	0xc424	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName	Microsoft Corp.
FileDescription	UnInstDaemon
FileVersion	1.1.390.0
InternalName	UnInstDaemon.exe
LegalCopyright	Copyright Microsoft Corp. 2024
LegalTrademarks
OriginalFilename	UnInstDaemon.exe
ProductName	UnInstDaemon
ProductVersion	1.1.390.0
Assembly Version	1.1.390.0

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• UnInstDaemon.exe

Click to jump to process

Memory Usage

• UnInstDaemon.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

System Behavior

Analysis Process: UnInstDaemon.exePID: 1132, Parent PID: 5252

Function Logs

General

Target ID:	0
Start time:	05:42:35
Start date:	11/04/2025
Path:	C:\Users\TEMP\Desktop\UnInstDaemon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\TEMP\Desktop\UnInstDaemon.exe"
Imagebase:	0x400000
File size:	50'736 bytes
MD5 hash:	12EFA0CF526660FB40B51CD0A6803243
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

File Created

File Read

File Attributes Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread APC Queued

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Found

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: UnInstDaemon.exePID: 1132, Parent PID: 5252COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	43.8%
Total number of Nodes:	16
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 02741048 Relevance: 1.4, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR?i, xrefs: 02741101

Memory Dump Source

Source File: 00000000.00000002.860628812122.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2740000_UnInstDaemon.jbxd

Similarity

API ID:
String ID: LR?i
API String ID: 0-4077793671
Opcode ID: db06a95a977da45fe394bf0a3978941689595dc0dc107ffa3d0b2b8c1cda3339
Instruction ID: fe5d66dda981303c3323aef01bc41a0c87c41e6760a54908af1bc1316283c32f
Opcode Fuzzy Hash: db06a95a977da45fe394bf0a3978941689595dc0dc107ffa3d0b2b8c1cda3339
Instruction Fuzzy Hash: 3741DD74D00258DFDB04DFE9D894ADCBBB2AF89304F10812AE419BB264EB345986CF14

Function 02741058 Relevance: 1.4, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR?i, xrefs: 02741101

Memory Dump Source

Source File: 00000000.00000002.860628812122.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2740000_UnInstDaemon.jbxd

Similarity

API ID:
String ID: LR?i
API String ID: 0-4077793671
Opcode ID: 1226f3e211571e7f882ec500c8cf57bfe780fa2dbea049b345cdf1215b684acd
Instruction ID: 02b67b32023376c10026a0fb79eca61e43ce370a78fff871658cff83aef333ca
Opcode Fuzzy Hash: 1226f3e211571e7f882ec500c8cf57bfe780fa2dbea049b345cdf1215b684acd
Instruction Fuzzy Hash: 0341BE74D01258CFCB08DFE9D844ADDBBF2AF89304F50912AE419BB264EB355985CF14

Function 02745CAE Relevance: .1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.860628812122.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2740000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60eae3db2c0c0dcb15f115063a322f3b7440a6156079061075c5c1feae422e7
Instruction ID: 070fe4a6a9eb278d0ee7d0eb5ab65a07fba84d413b898622f88c9d5f6dad5834
Opcode Fuzzy Hash: b60eae3db2c0c0dcb15f115063a322f3b7440a6156079061075c5c1feae422e7
Instruction Fuzzy Hash: C251CE74D00218DFDB24CFA9C988BDEBBB1BF49308F20906AD509BB251DB75A945CF54

Function 02745CB8 Relevance: .1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.860628812122.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2740000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9f7e2db2cb2cf624592182a05ae9507ab72435292819a6c34ae6cadff535c5
Instruction ID: 38bd646eedb220ac0eef203976c8a9d4d5c54dab1745bb4c8e4022dad3f63bf8
Opcode Fuzzy Hash: ab9f7e2db2cb2cf624592182a05ae9507ab72435292819a6c34ae6cadff535c5
Instruction Fuzzy Hash: 6551BD74D00218DFDB24CFA9C988BDEBBB1BB49308F20906AD509BB251DB755985CF54

Function 02740720 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserGeoID.KERNELBASE(?), ref: 0274124E

Memory Dump Source

Source File: 00000000.00000002.860628812122.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2740000_UnInstDaemon.jbxd

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: a561a4562a1c945288cb5d86f1ae9a5c5ae688cfb5ce37db0896263d17030712
Instruction ID: 505121d7af05793e6f85a87d31a91e86c1076905e491a636599eb40e86dcceda
Opcode Fuzzy Hash: a561a4562a1c945288cb5d86f1ae9a5c5ae688cfb5ce37db0896263d17030712
Instruction Fuzzy Hash: ED412475D09248DFCB02DFA9D880ADDBBB0EF4A314F00409AE955BB212D734A848CF65

Function 027412A0 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserGeoID.KERNELBASE(?), ref: 0274124E

Memory Dump Source

Source File: 00000000.00000002.860628812122.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2740000_UnInstDaemon.jbxd

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: f2b43536c2762b171c1a185f9f6c8f1d24b9bacca95fd2007b7da2ad4cdbbde3
Instruction ID: c507eb0be8a8f9cbe0c4e4052aef5048147eb96a3916673674a3d42cfe3ca25f
Opcode Fuzzy Hash: f2b43536c2762b171c1a185f9f6c8f1d24b9bacca95fd2007b7da2ad4cdbbde3
Instruction Fuzzy Hash: F84189B4E002189FCF10CFA9D584ADEFBF0AB49328F24905AE818B7251C775A945CFA5

Function 027406FC Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserGeoID.KERNELBASE(?), ref: 0274124E

Memory Dump Source

Source File: 00000000.00000002.860628812122.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2740000_UnInstDaemon.jbxd

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: 8cc21b8c7abe873fd74a62f7b2b5db12e0e0581aeff9fa73f9d0952087a34bf9
Instruction ID: 5889cddcc1cc1ce30cacb6a4819b5a12be7ff76eb3d15f78b23f07ac567dd32b
Opcode Fuzzy Hash: 8cc21b8c7abe873fd74a62f7b2b5db12e0e0581aeff9fa73f9d0952087a34bf9
Instruction Fuzzy Hash: 2F3199B4E042089FCB10DFA9E584ADEFBF4EB49314F10906AE818B7310D774A945CFA5

Function 027411C9 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserGeoID.KERNELBASE(?), ref: 0274124E

Memory Dump Source

Source File: 00000000.00000002.860628812122.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2740000_UnInstDaemon.jbxd

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: e7e405c49bf2ade3ebfa8b7241cded3e35605cd34f0400de8f379c7bdef0e46d
Instruction ID: ccd791717e1e77232edf26bc6c06a5e59e662cb7b3ba56d5106e16f41c0b449c
Opcode Fuzzy Hash: e7e405c49bf2ade3ebfa8b7241cded3e35605cd34f0400de8f379c7bdef0e46d
Instruction Fuzzy Hash: 533198B4D002189FCB10CFA9D584ADEFBF4AB49314F10906AE818B7310D734A945CFA5

Function 00DBD654 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.860628548014.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06fde09135bca3482cf1bcc1b8518654e3f64dd9f6e4ad715ef38e78f0360a00
Instruction ID: 1d2f0177fb26befed384eb85af8a13edeac4c7e6d2b93fe6979c8769c0c1ffc0
Opcode Fuzzy Hash: 06fde09135bca3482cf1bcc1b8518654e3f64dd9f6e4ad715ef38e78f0360a00
Instruction Fuzzy Hash: 23213375504244DFCB00DF14D8C4FAABB62FB98324F248569E94A0B246D736D806CBB2

Function 00DCD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.860628598290.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcd000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1625498e1411f66688a68161165a4f33fa1c50920bd2b7cab26607843ef5ff2a
Instruction ID: 565bddf4069a43b8db0f1e5793c421207b8ecfaa6a209270ae7720b42c7421f7
Opcode Fuzzy Hash: 1625498e1411f66688a68161165a4f33fa1c50920bd2b7cab26607843ef5ff2a
Instruction Fuzzy Hash: 42210370204240DFCB10DF18DC84F16BBA2EB84314F24C97DE94A4B282C736D807DA72

Function 00DCD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.860628598290.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcd000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc7c0b1ab8a3b621b55a45dda83cbee8e11eabe2cf0e73c3184d9c4fb3e1646
Instruction ID: eb56955c5d73c2a3e8020337604f025b4e6b74682d0954cb411e9965fee85367
Opcode Fuzzy Hash: 8bc7c0b1ab8a3b621b55a45dda83cbee8e11eabe2cf0e73c3184d9c4fb3e1646
Instruction Fuzzy Hash: 972186755093809FCB02CF24D994B15BF71EB46314F28C5EED8458B697C33A980ACB62

Function 00DBD64F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.860628548014.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b4a0f2dfa200fd812581ea48e0ce25dbd1a095eb2890e4a1de5da8ccd7432f
Instruction ID: 378f48a7a52b183c38ad04ecda1741e9a087bd6b5cb8889a50b53dc807e8456d
Opcode Fuzzy Hash: d6b4a0f2dfa200fd812581ea48e0ce25dbd1a095eb2890e4a1de5da8ccd7432f
Instruction Fuzzy Hash: 5111D376504280DFCB11CF10D9C4B56BF72FB94324F28C6A9D90A4B656C336D856CBA2

Function 00DBD055 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.860628548014.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25dbe0efac82d4abc3892cfde1dd1f6ebaadfcd56d0be7a123c0cb6ee456bc48
Instruction ID: 500320e0f8c35c0d9eb7bbac6d3886d258af6e3ce41508aa5a7a162526988723
Opcode Fuzzy Hash: 25dbe0efac82d4abc3892cfde1dd1f6ebaadfcd56d0be7a123c0cb6ee456bc48
Instruction Fuzzy Hash: 0501AC71108740DAE7105A15C9C87A7FF99DF41364F18C456ED4A5A282E779D841CA71

Function 00DBD054 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.860628548014.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_UnInstDaemon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9a00b86395c13f4ff783117732f55dbc6e269fd0c04904c6ba8c622ed0a608
Instruction ID: cbde7d9b838fb15b6b69a329ba4e4fd5a1b01cce80f25ad2670c6e7145f92d93
Opcode Fuzzy Hash: 3b9a00b86395c13f4ff783117732f55dbc6e269fd0c04904c6ba8c622ed0a608
Instruction Fuzzy Hash: 46F06271408740EEE7108E16C988B63FFA9EB51734F18C55AED095B286D2799C45CAB1

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UnInstDaemon.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: UnInstDaemon.exePID: 1132, Parent PID: 5252

General

File Activities

File Opened

File Created

File Read

File Attributes Queried

Volume Information Queried

Windows Analysis Report
UnInstDaemon.exe

Function 02741048 Relevance: 1.4, Strings: 1, Instructions: 122
COMMON

Function 02741058 Relevance: 1.4, Strings: 1, Instructions: 116
COMMON

Function 02745CAE Relevance: .1, Instructions: 125
COMMON

Function 02745CB8 Relevance: .1, Instructions: 123
COMMON

Function 02740720 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 027412A0 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Function 027406FC Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Function 027411C9 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON