2.2.5.1.2 Hiding Techniques
It is possible to activate an advanced hiding method which allows the FinSpy Trojan to be more stealth and extremely hidden.

The following actions are taken if the FinSpy Trojan runs in User-Mode:
– Hides the network connections
– Hides the registry entries
– Hides the Trojan processes

The following actions are taken if the FinSpy Trojan runs in Admin-Mode:
– Hides the network connections
– Hides the Trojan processes

If the Active Hiding is activated it is more
likely to be discovered by some rootkit detectors, due to its
aggressiveness within the system.

2.2.5.1.3 Infection Self-removal
Computers which never go online may become infected by mistake and spread an infected application through an organization. To avoid keeping offline computers infected still
recording data, the FinSpy Target can remove itself.

– Scheduled Removal: Date on which the FinSpy Target
removes itself from the infected computer
– Time Out Removal: Time after which the FinSpy Target removes itself from the infected computer, if communication with the FinSpy Master fails (even if there is a functional internet
connection). This renewal will be disabled once the FinSpy Target contacts the FinSpy Master for the first time.