Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
FaceFodUninstaller.exe

Overview

General Information

Sample name:FaceFodUninstaller.exe
Analysis ID:1606345
MD5:b6a30c5f8d5885b7b96e9bac7675165f
SHA1:a7c572c7c5abc51131beb66d4c031337fef7f53c
SHA256:aca626f6c2aafbce1f273d1bbc16fbe2120b40cd939c54f4442dd00946860a99
Infos:

Detection

Score:1
Range:0 - 100
Confidence:60%

Signatures

Binary contains a suspicious time stamp
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • FaceFodUninstaller.exe (PID: 4292 cmdline: "C:\Users\user\Desktop\FaceFodUninstaller.exe" -install MD5: B6A30C5F8D5885B7B96E9BAC7675165F)
  • FaceFodUninstaller.exe (PID: 3852 cmdline: "C:\Users\user\Desktop\FaceFodUninstaller.exe" /install MD5: B6A30C5F8D5885B7B96E9BAC7675165F)
  • FaceFodUninstaller.exe (PID: 1708 cmdline: "C:\Users\user\Desktop\FaceFodUninstaller.exe" /load MD5: B6A30C5F8D5885B7B96E9BAC7675165F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Compliance
  • System Summary
  • Data Obfuscation
  • Malware Analysis System Evasion
  • Anti Debugging

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: FaceFodUninstaller.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: FaceFodUninstaller.pdbGCTL source: FaceFodUninstaller.exe
Source: Binary string: FaceFodUninstaller.pdb source: FaceFodUninstaller.exe
Source: classification engineClassification label: clean1.winEXE@3/0@0/0
Source: C:\Users\user\Desktop\FaceFodUninstaller.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: FaceFodUninstaller.exeString found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0.dll
Source: FaceFodUninstaller.exeString found in binary or memory: RoInitializeBWinHttpReceiveResponse%WinHttpGetDefaultProxyConfigurationapi-ms-win-core-registry-l1-1-0.dllapi-ms-win-core-com-l1-1-0.dllapi-ms-win-eventing-provider-l1-1-0.dllapi-ms-win-stateseparation-helpers-l1-1-0.dllWINHTTP.dllapi-ms-win-core-version-l1-1-1.dllapi-ms-win-core-version-l1-1-0.dllntdll.dllapi-ms-win-security-base-l1-1-0.dllapi-ms-win-core-winrt-l1-1-0.dllapi-ms-win-security-credentials-l1-1-0.dllLCoGetObjectWCoInitializeole32.dlll
Source: unknownProcess created: C:\Users\user\Desktop\FaceFodUninstaller.exe "C:\Users\user\Desktop\FaceFodUninstaller.exe" -install
Source: unknownProcess created: C:\Users\user\Desktop\FaceFodUninstaller.exe "C:\Users\user\Desktop\FaceFodUninstaller.exe" /install
Source: unknownProcess created: C:\Users\user\Desktop\FaceFodUninstaller.exe "C:\Users\user\Desktop\FaceFodUninstaller.exe" /load
Source: C:\Users\user\Desktop\FaceFodUninstaller.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\FaceFodUninstaller.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\FaceFodUninstaller.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\FaceFodUninstaller.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\FaceFodUninstaller.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\FaceFodUninstaller.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\FaceFodUninstaller.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\FaceFodUninstaller.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\FaceFodUninstaller.exeSection loaded: kernel.appcore.dllJump to behavior
Source: FaceFodUninstaller.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: FaceFodUninstaller.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: FaceFodUninstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: FaceFodUninstaller.pdbGCTL source: FaceFodUninstaller.exe
Source: Binary string: FaceFodUninstaller.pdb source: FaceFodUninstaller.exe
Source: FaceFodUninstaller.exeStatic PE information: 0x8DFAB0F7 [Sun Jun 25 15:19:19 2045 UTC]
Source: FaceFodUninstaller.exeStatic PE information: section name: fothk
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Timestomp		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1606345 Sample: FaceFodUninstaller.exe Startdate: 04/02/2025 Architecture: WINDOWS Score: 1 4 FaceFodUninstaller.exe 2->4         started        6 FaceFodUninstaller.exe 2->6         started        8 FaceFodUninstaller.exe 2->8         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
FaceFodUninstaller.exe0%ReversingLabs
FaceFodUninstaller.exe0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1606345
Start date and time:2025-02-04 10:23:31 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 41s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Cmdline fuzzy
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:FaceFodUninstaller.exe
Detection:CLEAN
Classification:clean1.winEXE@3/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):5.782586456444767
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:FaceFodUninstaller.exe
File size:200'704 bytes
MD5:b6a30c5f8d5885b7b96e9bac7675165f
SHA1:a7c572c7c5abc51131beb66d4c031337fef7f53c
SHA256:aca626f6c2aafbce1f273d1bbc16fbe2120b40cd939c54f4442dd00946860a99
SHA512:76784ec5394e970ff01ea8d3e3e098b0f44514d11581f928bea4d5a800b6df5d8e6b32380c556ee63acf6824db204411b64add81d60ad2eaf53a5661d097e553
SSDEEP:3072:OisfqOGnO3p6Bwp51imba7UiFrhoTvZkiV/m1K9zNYz5/w:SgO5YCLe7U1TJQ
TLSH:12143B6E36A510F5E17AC13DC9A30606F6B2B025072257EF02E1827E5F37BE4AD39B51
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J...+...+...+.......+...Se..+...+.../...+...+.......+.......+.......+.......+.......+.......+..Rich.+..................PE..d..

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x140002e40
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x8DFAB0F7 [Sun Jun 25 15:19:19 2045 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:3ec1a21d0b6c30661ca255aa06e9d9e1
Instruction
dec eax
sub esp, 28h
call 00007F466C64DE70h
dec eax
add esp, 28h
jmp 00007F466C64D5C3h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [0002A809h]
jne 00007F466C64D762h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F466C64D753h
ret
dec eax
ror ecx, 10h
jmp 00007F466C64DB07h
int3
int3
int3
int3
int3
int3
jmp 00007F466C64DC60h
int3
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
lea eax, dword ptr [0001E15Bh]
dec eax
mov ebx, ecx
dec eax
mov dword ptr [ecx], eax
test dl, 00000001h
je 00007F466C64D757h
call 00007F466C64DC3Ch
dec eax
mov eax, ebx
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F466C64E258h
test eax, eax
je 00007F466C64D773h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F466C64D757h
dec eax
cmp ecx, eax
je 00007F466C64D766h
xor eax, eax
dec eax
cmpxchg dword ptr [0002A880h], ecx
jne 00007F466C64D740h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F466C64D749h
int3
int3
Programming Language:
  • [IMP] VS2008 SP1 build 30729
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x2ab900x190.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x310000x1a10.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x330000x310.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x262480x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x21bf00x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x21ab00x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x21c180x688.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x1e68c0x1f000509522cc8cfc02fc5a89862d075e531dFalse0.4787203881048387data6.146274402628442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
fothk0x200000x10000x1000faeee59f1a8533621b93863f9d9740afFalse0.009033203125ISO-8859 text, with very long lines (4096), with no line terminators0.015920183265625623IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x210000xb4e80xc0005fff278daef684ee273ac3039f451990False0.3241373697916667data4.611931688476528IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x2d0000x33600x10004da75e6230889b6892d3a5d8f1ff9ed4False0.10205078125data1.5863595336812693IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x310000x1a100x200084421c2bb7778d6ff66e9855cda1daeeFalse0.39990234375data4.444561887826421IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x330000x3680x1000940d2a7fb6c58ba96328746b6c61d930False0.13671875data1.6894449076576266IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
DLLImport
api-ms-win-crt-string-l1-1-0.dllstrcspn, wcsnlen, memset, wcscmp
api-ms-win-crt-locale-l1-1-0.dll_lock_locales, _unlock_locales
api-ms-win-crt-runtime-l1-1-0.dll_register_thread_local_exe_atexit_callback, _initterm, _c_exit, _initterm_e
api-ms-win-crt-private-l1-1-0.dll_o__errno, _o__exit, _o__get_wide_winmain_command_line, _o__initialize_onexit_table, _o__initialize_wide_environment, _o__invalid_parameter_noinfo, _o__invalid_parameter_noinfo_noreturn, _o__ldclass, _o__purecall, _o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, memmove, _o__wcsdup, _o__wcsicmp, _o__wcsnicmp, _o__wtof, _o__wtoi, _o_abort, _o_calloc, _o_exit, _o_free, _o_frexp, _o_localeconv, _o_malloc, _o_setlocale, _o_terminate, _o_wcscpy_s, __uncaught_exception, __C_specific_handler, __current_exception, __current_exception_context, _CxxThrowException, _o__dclass, _o__crt_atexit, _o__configure_wide_argv, _o__configthreadlocale, _o__cexit, _o__calloc_base, _o__callnewh, _o___stdio_common_vswprintf, _o___stdio_common_vsprintf_s, _o___std_exception_destroy, _o___std_exception_copy, _o___pctype_func, wcsrchr, _o___p__commode, _o____mb_cur_max_func, _o____lc_locale_name_func, _o____lc_codepage_func, __CxxFrameHandler3, memcmp, memcpy
KERNEL32.dllAcquireSRWLockShared, SetEvent, GetModuleFileNameA, HeapFree, GetModuleHandleExW, GetCurrentThreadId, FormatMessageW, HeapAlloc, CreateEventW, GetProcAddress, GetProcessHeap, GetModuleHandleW, WideCharToMultiByte, DebugBreak, GetLastError, OutputDebugStringW, IsDebuggerPresent, CloseHandle, SetLastError, WaitForSingleObject, ReleaseSemaphore, OpenSemaphoreW, EnterCriticalSection, LeaveCriticalSection, ReleaseMutex, GetCurrentProcessId, CreateMutexExW, CreateSemaphoreExW, WaitForSingleObjectEx, MultiByteToWideChar, QueryPerformanceFrequency, InitializeCriticalSectionAndSpinCount, GetStringTypeW, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, RtlCaptureContext, VerifyVersionInfoW, VerSetConditionMask, ExitProcess, WTSGetActiveConsoleSessionId, HeapReAlloc, GlobalFree, GetSystemDirectoryW, GetFileAttributesW, CreateMutexW, GetProductInfo, GetUserDefaultLocaleName, InitializeCriticalSection, CreateThreadpoolTimer, ReleaseSRWLockShared, ResetEvent, CloseThreadpoolTimer, WaitForThreadpoolTimerCallbacks, SetThreadpoolTimer, InitializeSRWLock, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, LoadLibraryExW, FreeLibrary, GetStartupInfoW, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry
SHLWAPI.dllStrTrimW
WTSAPI32.dllWTSFreeMemory, WTSEnumerateSessionsW, WTSQueryUserToken
api-ms-win-core-registry-l1-1-0.dllRegQueryInfoKeyW, RegCreateKeyExW, RegDeleteTreeW, RegEnumValueW, RegCloseKey, RegOpenKeyExW, RegSetValueExW, RegGetValueW
api-ms-win-core-com-l1-1-0.dllCoUninitialize, CoCreateInstance, StringFromGUID2, CoTaskMemFree, CoCreateGuid
api-ms-win-eventing-provider-l1-1-0.dllEventUnregister, EventRegister, EventSetInformation, EventActivityIdControl, EventWriteTransfer
api-ms-win-stateseparation-helpers-l1-1-0.dllGetPersistedFileLocationW, GetPersistedRegistryLocationW
WINHTTP.dllWinHttpQueryHeaders, WinHttpReadData, WinHttpOpenRequest, WinHttpOpen, WinHttpReceiveResponse, WinHttpCloseHandle, WinHttpGetIEProxyConfigForCurrentUser, WinHttpQueryAuthSchemes, WinHttpGetProxyForUrl, WinHttpSendRequest, WinHttpSetCredentials, WinHttpConnect, WinHttpSetOption, WinHttpQueryDataAvailable, WinHttpGetDefaultProxyConfiguration
api-ms-win-core-version-l1-1-1.dllGetFileVersionInfoW, GetFileVersionInfoSizeW
api-ms-win-core-version-l1-1-0.dllVerQueryValueW
ntdll.dllRtlGetDeviceFamilyInfoEnum, RtlConvertDeviceFamilyInfoToString
api-ms-win-security-base-l1-1-0.dllRevertToSelf, ImpersonateLoggedOnUser
api-ms-win-core-winrt-l1-1-0.dllRoUninitialize, RoInitialize
api-ms-win-security-credentials-l1-1-0.dllCredReadW, CredFree
ole32.dllCoInitialize, CoGetObject

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:04:24:20
Start date:04/02/2025
Path:C:\Users\user\Desktop\FaceFodUninstaller.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\FaceFodUninstaller.exe" -install
Imagebase:0x7ff6b2b50000
File size:200'704 bytes
MD5 hash:B6A30C5F8D5885B7B96E9BAC7675165F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:2
Start time:04:24:23
Start date:04/02/2025
Path:C:\Users\user\Desktop\FaceFodUninstaller.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\FaceFodUninstaller.exe" /install
Imagebase:0x7ff6b2b50000
File size:200'704 bytes
MD5 hash:B6A30C5F8D5885B7B96E9BAC7675165F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:3
Start time:04:24:25
Start date:04/02/2025
Path:C:\Users\user\Desktop\FaceFodUninstaller.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\FaceFodUninstaller.exe" /load
Imagebase:0x7ff6b2b50000
File size:200'704 bytes
MD5 hash:B6A30C5F8D5885B7B96E9BAC7675165F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

No disassembly