fodhelper.exe

  • File Path: C:\Windows\system32\fodhelper.exe
  • Description: Features On Demand Helper

Hashes

Type Hash
MD5 F23BCF023D5039CCAB3AA40F6A07B817
SHA1 4D0DE1C3121F202604A01C6DC6F6A36F4A0A4619
SHA256 B1223B86D03C3583B84E46A9A6AD009D770FC4114640402EDE19793167593A8F
SHA384 9558658080010B4C92BE066A6090AE7E6063D6899476FFB4B4183FA3067BA55341D666B67871F6FF1D2DF062BEDCB0FD
SHA512 93249CCBF00B0CC62C9EB05535563C443A37830CE5EAB6EC068CA50EF544E9643F8C5E3E6EC484F6A1767F3D21894CD99D9329EC4BBF02FEE7BB895CC75BA394
SSDEEP 768:YqpZqknV+b+pvxg9JWSALQJnjpt6V3Glw1mHXrzg31TdavZZ7RRr:pqQApW3WOV3Gy1mHX61TSZZTr
IMP 2BD851C90720C3E5FEE7E3FF3ACFA3D5
PESHA1 36A86EAA24EBFFE7CF80D3A89E308F6799152FEE
PE256 F3A3C2E5533051AD881B35EB27CFF08234552D03F198BBC7ED8E8DD662A41514

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\system32\fodhelper.exe
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\shlwapi.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\windows.storage.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: FodHelper.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/b1223b86d03c3583b84e46a9a6ad009d770fc4114640402ede19793167593a8f/detection/

Possible Misuse

The following table contains possible examples of fodhelper.exe being misused. While fodhelper.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_fodhelper.yml title: Bypass UAC via Fodhelper.exe DRL 1.0
sigma proc_creation_win_uac_fodhelper.yml description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. DRL 1.0
sigma proc_creation_win_uac_fodhelper.yml ParentImage\|endswith: '\fodhelper.exe' DRL 1.0
sigma proc_creation_win_uac_fodhelper.yml - Legitimate use of fodhelper.exe utility by legitimate user DRL 1.0
sigma registry_event_shell_open_keys_manipulation.yml description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) DRL 1.0
malware-ioc win_apt_invisimole_uac_bypass.yml - '\fodhelper.exe' © ESET 2014-2018
atomic-red-team index.md - Atomic Test #3: Bypass UAC using Fodhelper [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Bypass UAC using Fodhelper [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #3 - Bypass UAC using Fodhelper MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #3 - Bypass UAC using Fodhelper MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md fodhelper.exe MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Start-Process “C:\Windows\System32\fodhelper.exe” MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Target: \system32\fodhelper.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.