Техническая информация
Для обеспечения автозапуска и распространения
Создает следующие сервисы
- [<HKLM>\SYSTEM\CurrentControlSet\Services\Fasoo Process Service] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\Fasoo Process Service] 'ImagePath' = '"%ProgramFiles%\Fasoo DRM\f_LPS.exe"'
- [<HKLM>\System\CurrentControlSet\Services\f_npm] 'ImagePath' = '<DRIVERS>\f_npm.sys'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\f_npm] 'Start' = '00000002'
Вредоносные функции
Устанавливает процедуры перхвата сообщений
о нажатии клавиш клавиатуры:
- Библиотека-обработчик для всех процессов: %ProgramFiles(x86)%\Fasoo DRM\f_sps.dll
оконных сообщений:
- Библиотека-обработчик для всех процессов: %ProgramFiles(x86)%\Fasoo DRM\f_sps.dll
- Библиотека-обработчик для всех процессов: %ProgramFiles%\Fasoo DRM\f_sps.dll
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\{03035fb1-e054-4e3b-8d73-50b3c1496292}\fss client for sec sbc wix x64.msi
- <SYSTEM32>\fcw_cryptoex.dll
- %WINDIR%\syswow64\fcw_cryptoex.dll
- <SYSTEM32>\fcw_crypto.dll
- %WINDIR%\syswow64\fcw_crypto.dll
- <SYSTEM32>\fcw_crtw.dll
- %WINDIR%\syswow64\fcw_crtw.dll
- <SYSTEM32>\fcw_crtstg.dll
- %WINDIR%\syswow64\fcw_crtstg.dll
- <SYSTEM32>\fcw_cms.dll
- %WINDIR%\syswow64\fcw_cms.dll
- %ProgramFiles(x86)%\fasoo drm\f_xlus.dll
- %ProgramFiles%\fasoo drm\f_xlus.dll
- %ProgramFiles%\fasoo drm\f_wd_s.dll
- %ProgramFiles(x86)%\fasoo drm\f_ss.dll
- %ProgramFiles(x86)%\fasoo drm\f_sps.dll
- %ProgramFiles%\fasoo drm\f_sps.dll
- %ProgramFiles(x86)%\fasoo drm\f_protry.dll
- %ProgramFiles%\fasoo drm\f_protry.dll
- <SYSTEM32>\f_pbrc12.dll
- %WINDIR%\syswow64\f_pbrc12.dll
- <SYSTEM32>\f_pbrc11.dll
- <SYSTEM32>\f_pbrc09.dll
- %WINDIR%\syswow64\f_pbrc11.dll
- %ProgramFiles(x86)%\fasoo drm\f_ss_ver.dll
- %ProgramFiles(x86)%\fasoo drm\f_ext.dll
- %LOCALAPPDATA%low\ac.dat
- %LOCALAPPDATA%low\f_temp.log
- %ProgramFiles(x86)%\fasoo drm\log\f_0021.log
- %WINDIR%\temp\udd63b8.tmp
- %WINDIR%\uninstall.ini
- %PROGRAMDATA%\microsoft\windows\start menu\programs\fasoo.com\fss client - sec sbc\drm recovery.lnk
- %PROGRAMDATA%\microsoft\windows\start menu\programs\fasoo.com\fss client - sec sbc\diagnosis.lnk
- %WINDIR%\installer\{03035fb1-e054-4e3b-8d73-50b3c1496292}\product.ico
- %WINDIR%\fs_shortcut.exe
- <SYSTEM32>\launchmsi.exe
- %ProgramFiles(x86)%\fasoo drm\fs_commsvr.dll
- %ProgramFiles(x86)%\fasoo drm\f_diag.exe
- %ProgramFiles%\fasoo drm\fs_commcli.dll
- %ProgramFiles(x86)%\fasoo drm\fs_commcli.dll
- %WINDIR%\syswow64\fphstat.dll
- %ProgramFiles(x86)%\fasoo drm\fphbroker.exe
- %ProgramFiles%\fasoo drm\fph.exe
- %ProgramFiles(x86)%\fasoo drm\fph.exe
- %WINDIR%\syswow64\f_depol.dll
- %ProgramFiles(x86)%\fasoo drm\f_ss_citrix_ver.dll
- <SYSTEM32>\f_depol.dll
- %ProgramFiles(x86)%\fasoo drm\policy\s_0000000000000908\0000000000000908_fss1.pol
- %WINDIR%\syswow64\f_pbrc09.dll
- %WINDIR%\syswow64\drivers\f_npm.sys
- <DRIVERS>\f_npm.sys
- %TEMP%\7zs1857.tmp\setacl_64.exe
- %TEMP%\7zs1857.tmp\launchaclwait_64.exe
- %TEMP%\7zs1087.tmp\setacl_64.exe
- %TEMP%\7zs1087.tmp\launchaclwait_64.exe
- %TEMP%\7zs84a.tmp\setacl_64.exe
- %TEMP%\7zs84a.tmp\launchaclwait_64.exe
- %TEMP%\7zsffce.tmp\setacl.exe
- %TEMP%\7zsffce.tmp\launchaclwait.exe
- %TEMP%\7zsf6d5.tmp\setacl.exe
- %TEMP%\7zsf6d5.tmp\launchaclwait.exe
- %TEMP%\7zsedfc.tmp\setacl.exe
- %TEMP%\7zsedfc.tmp\launchaclwait.exe
- %TEMP%\7zse512.tmp\setacl.exe
- %TEMP%\7zse512.tmp\launchaclwait.exe
- %TEMP%\7zsdab2.tmp\setacl.exe
- %TEMP%\7zsdab2.tmp\launchaclwait.exe
- %TEMP%\7zsd071.tmp\setacl.exe
- %TEMP%\7zsd071.tmp\launchaclwait.exe
- %TEMP%\msibc7e.tmp
- %TEMP%\fss client for sec sbc wix x6400000.log
- %TEMP%\7zs1faa.tmp\setacl_64.exe
- %TEMP%\7zs274b.tmp\launchaclwait_64.exe
- %TEMP%\7zs1faa.tmp\launchaclwait_64.exe
- %TEMP%\7zs274b.tmp\setacl_64.exe
- %ProgramFiles%\fasoo drm\f_lps.exe
- %TEMP%\7zs2f79.tmp\launchaclwait_64.exe
- %WINDIR%\syswow64\f_lph.dll
- <SYSTEM32>\f_lph.dll
- %WINDIR%\syswow64\f_kpi.dll
- %WINDIR%\syswow64\f_im.dll
- <SYSTEM32>\f_im.dll
- %WINDIR%\syswow64\drivers\f_ih.sys
- %ProgramFiles%\fasoo drm\f_dnbroker.exe
- %ProgramFiles(x86)%\fasoo drm\f_dnbroker.exe
- %ProgramFiles(x86)%\fasoo drm\f_dn.dll
- %ProgramFiles%\fasoo drm\fs_commsvr.dll
- %LOCALAPPDATA%low\bc.dat
- %WINDIR%\syswow64\f_crypto.dll
- %ProgramFiles%\fasoo drm\f_com_s.dll
- %ProgramFiles%\fasoo drm\f_com_c.dll
- %ProgramFiles(x86)%\fasoo drm\f_com_c.dll
- %ProgramFiles(x86)%\fasoo drm\f_cm.dll
- %ProgramFiles%\fasoo drm\f_cm.dll
- %ProgramFiles(x86)%\fasoo drm\f_cie.dll
- %ProgramFiles%\fasoo drm\f_cie.dll
- %ProgramFiles(x86)%\fasoo drm\f_blksc.dll
- %TEMP%\7zs2f79.tmp\setacl_64.exe
- %ProgramFiles%\fasoo drm\f_dn.dll
- %LOCALAPPDATA%low\ad589828_0
Удаляет следующие файлы
- %TEMP%\msibc7e.tmp
- %TEMP%\7zs2f79.tmp\setacl_64.exe
- %TEMP%\7zs2f79.tmp\launchaclwait_64.exe
- %TEMP%\7zs274b.tmp\setacl_64.exe
- %TEMP%\7zs274b.tmp\launchaclwait_64.exe
- %TEMP%\7zs1faa.tmp\setacl_64.exe
- %TEMP%\7zs1faa.tmp\launchaclwait_64.exe
- %TEMP%\7zs1857.tmp\setacl_64.exe
- %TEMP%\7zs1857.tmp\launchaclwait_64.exe
- %TEMP%\7zs1087.tmp\setacl_64.exe
- %TEMP%\7zs1087.tmp\launchaclwait_64.exe
- %TEMP%\7zs84a.tmp\setacl_64.exe
- %WINDIR%\temp\udd63b8.tmp
- %TEMP%\7zs84a.tmp\launchaclwait_64.exe
- %TEMP%\7zsffce.tmp\launchaclwait.exe
- %TEMP%\7zsf6d5.tmp\setacl.exe
- %TEMP%\7zsf6d5.tmp\launchaclwait.exe
- %TEMP%\7zsedfc.tmp\setacl.exe
- %TEMP%\7zsedfc.tmp\launchaclwait.exe
- %TEMP%\7zse512.tmp\setacl.exe
- %TEMP%\7zse512.tmp\launchaclwait.exe
- %TEMP%\7zsdab2.tmp\setacl.exe
- %TEMP%\7zsdab2.tmp\launchaclwait.exe
- %TEMP%\7zsd071.tmp\setacl.exe
- %TEMP%\7zsd071.tmp\launchaclwait.exe
- %TEMP%\7zsffce.tmp\setacl.exe
- %LOCALAPPDATA%low\ad589828_0
Перемещает следующие файлы
- %TEMP%\{03035fb1-e054-4e3b-8d73-50b3c1496292}\fss client for sec sbc wix x64.msi в %PROGRAMDATA%\fasoo.com\live update\{03035fb1-e054-4e3b-8d73-50b3c1496292}v2.05.0001\fss client for sec sbc wix x64.msi
Другое
Ищет следующие окна
- ClassName: '__@@Fasoo_DRM_CMH_Agent@@__' WindowName: ''
- ClassName: '__@@Fasoo_DRM_CMH_Client@@__' WindowName: ''
- ClassName: '__@@Fasoo_DRM_CMH_Client64@@__' WindowName: ''
- ClassName: '#01152004_FPH' WindowName: ''
- ClassName: '#01152004_FPH64' WindowName: ''
- ClassName: 'FasooSecurePrintManagerClass' WindowName: 'FasooSecurePrintManagerWindow'
- ClassName: 'FasooSecurePrintRecoverClass' WindowName: 'FasooSecurePrintRecoverWindow'
Создает и запускает на исполнение
- '%TEMP%\7zs84a.tmp\launchaclwait_64.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"
- '%TEMP%\7zs1faa.tmp\setacl_64.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"
- '%TEMP%\7zsffce.tmp\setacl.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn clear -clr dacl,sacl
- '%WINDIR%\installer\msi2c3f.tmp' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn clear -clr dacl,sacl
- '%WINDIR%\installer\msi52a.tmp' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"
- '%ProgramFiles%\fasoo drm\fph.exe'
- '%WINDIR%\installer\msic9e.tmp' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setprot -op dacl:np
- '%TEMP%\7zs1087.tmp\launchaclwait_64.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setprot -op dacl:np
- '%WINDIR%\installer\msifbf2.tmp' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn clear -clr dacl,sacl
- '%TEMP%\7zsffce.tmp\launchaclwait.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn clear -clr dacl,sacl
- '%WINDIR%\installer\msi152a.tmp' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn ace -ace "n:S-1-5-32-544;s:y;p:full" -ace "n:S-1-3-0;s:y;p:full" -ace "n:S-1-5-18;s:y;p:full" -ace "n:S-1-5-32-547;s:y;p:full" -ace "n:S-1-5...
- '%TEMP%\7zs1857.tmp\launchaclwait_64.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn ace -ace "n:S-1-5-32-544;s:y;p:full" -ace "n:S-1-3-0;s:y;p:full" -ace "n:S-1-5-18;s:y;p:full" -ace "n:S-1-5-32-547;s:y;p:full" -ace "n:S-1-5...
- '%TEMP%\7zs1857.tmp\setacl_64.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn ace -ace "n:S-1-5-32-544;s:y;p:full" -ace "n:S-1-3-0;s:y;p:full" -ace "n:S-1-5-18;s:y;p:full" -ace "n:S-1-5-32-547;s:y;p:full" -ace "n:S-1-5...
- '%TEMP%\7zs274b.tmp\launchaclwait_64.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setprot -op dacl:np
- '%WINDIR%\installer\msi1ccc.tmp' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"
- '%TEMP%\7zs1faa.tmp\launchaclwait_64.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"
- '%TEMP%\7zs1087.tmp\setacl_64.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setprot -op dacl:np
- '%TEMP%\7zs274b.tmp\setacl_64.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setprot -op dacl:np
- '%TEMP%\7zs2f79.tmp\launchaclwait_64.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn clear -clr dacl,sacl
- '%TEMP%\7zs84a.tmp\setacl_64.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"
- '%TEMP%\7zsf6d5.tmp\setacl.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setprot -op dacl:np
- '%WINDIR%\installer\msicf40.tmp' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"
- '%TEMP%\7zsdab2.tmp\launchaclwait.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setprot -op dacl:np
- '%TEMP%\7zsd071.tmp\setacl.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"
- '%ProgramFiles(x86)%\fasoo drm\fph.exe'
- '%WINDIR%\installer\msid5c8.tmp' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setprot -op dacl:np
- '%TEMP%\7zsdab2.tmp\setacl.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setprot -op dacl:np
- '%TEMP%\7zsf6d5.tmp\launchaclwait.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setprot -op dacl:np
- '%WINDIR%\installer\msif394.tmp' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setprot -op dacl:np
- '%ProgramFiles%\fasoo drm\f_lps.exe'
- '%TEMP%\7zsd071.tmp\launchaclwait.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"
- '%WINDIR%\installer\msiea4c.tmp' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"
- '%TEMP%\7zsedfc.tmp\launchaclwait.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"
- '%TEMP%\7zsedfc.tmp\setacl.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"
- '%TEMP%\7zs2f79.tmp\setacl_64.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn clear -clr dacl,sacl
- '%WINDIR%\installer\msie162.tmp' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn ace -ace "n:S-1-5-32-544;s:y;p:full" -ace "n:S-1-3-0;s:y;p:full" -ace "n:S-1-5-18;s:y;p:full" -ace "n:S-1-5-32-547;s:y;p:full" -ace "n:S-1-5...
- '%WINDIR%\installer\msi23e2.tmp' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setprot -op dacl:np
- '%TEMP%\7zse512.tmp\launchaclwait.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn ace -ace "n:S-1-5-32-544;s:y;p:full" -ace "n:S-1-3-0;s:y;p:full" -ace "n:S-1-5-18;s:y;p:full" -ace "n:S-1-5-32-547;s:y;p:full" -ace "n:S-1-5...
- '%TEMP%\7zse512.tmp\setacl.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn ace -ace "n:S-1-5-32-544;s:y;p:full" -ace "n:S-1-3-0;s:y;p:full" -ace "n:S-1-5-18;s:y;p:full" -ace "n:S-1-5-32-547;s:y;p:full" -ace "n:S-1-5...
- '%TEMP%\7zs1faa.tmp\setacl_64.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"' (со скрытым окном)
- '%TEMP%\7zs274b.tmp\setacl_64.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setprot -op dacl:np' (со скрытым окном)
- '%TEMP%\7zs2f79.tmp\setacl_64.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn clear -clr dacl,sacl' (со скрытым окном)
- '%ProgramFiles(x86)%\fasoo drm\fph.exe' ' (со скрытым окном)
- '%TEMP%\7zs1857.tmp\setacl_64.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn ace -ace "n:S-1-5-32-544;s:y;p:full" -ace "n:S-1-3-0;s:y;p:full" -ace "n:S-1-5-18;s:y;p:full" -ace "n:S-1-5-32-547;s:y;p:full" -ace "n:S-1-5...' (со скрытым окном)
- '%TEMP%\7zs1087.tmp\setacl_64.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setprot -op dacl:np' (со скрытым окном)
- '%WINDIR%\syswow64\msiexec.exe' /regserver' (со скрытым окном)
- '%TEMP%\7zse512.tmp\setacl.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn ace -ace "n:S-1-5-32-544;s:y;p:full" -ace "n:S-1-3-0;s:y;p:full" -ace "n:S-1-5-18;s:y;p:full" -ace "n:S-1-5-32-547;s:y;p:full" -ace "n:S-1-5...' (со скрытым окном)
- '%TEMP%\7zsf6d5.tmp\setacl.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setprot -op dacl:np' (со скрытым окном)
- '%TEMP%\7zsedfc.tmp\setacl.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"' (со скрытым окном)
- '%TEMP%\7zsdab2.tmp\setacl.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setprot -op dacl:np' (со скрытым окном)
- '%TEMP%\7zsd071.tmp\setacl.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"' (со скрытым окном)
- '%WINDIR%\syswow64\net.exe' start MSIServer' (со скрытым окном)
- '%TEMP%\7zs84a.tmp\setacl_64.exe' -on "HKLM\SOFTWARE\Fasoo DRM" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544;s:y"' (со скрытым окном)
- '%TEMP%\7zsffce.tmp\setacl.exe' -on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" -ot reg -rec yes -actn clear -clr dacl,sacl' (со скрытым окном)
- '%ProgramFiles%\fasoo drm\fph.exe' ' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\msiexec.exe' /regserver
- '%WINDIR%\syswow64\net.exe' start MSIServer
- '%WINDIR%\syswow64\net1.exe' start MSIServer
- '<SYSTEM32>\msiexec.exe' /quiet /fm {03035FB1-E054-4e3b-8D73-50B3C1496292}
- '%WINDIR%\syswow64\rundll32.exe' "%ProgramFiles(x86)%\Fasoo DRM\f_protry.dll", SWMStart
- '<SYSTEM32>\rundll32.exe' "%ProgramFiles%\Fasoo DRM\f_protry.dll", SWMStart
