Technical Information
- [<HKLM>\System\CurrentControlSet\Services\tap0901] 'ImagePath' = 'system32\DRIVERS\tap0901.sys'
- '%WINDIR%\syswow64\taskkill.exe' /F /T /IM "openvpn*" /IM "openssl.exe" /IM "autoit3.exe" /IM "devcon.exe" /IM "cpau-run.exe"
- '%WINDIR%\syswow64\taskkill.exe' /F /T /IM "autoit3.exe"
- %TEMP%\openvpn\install.bat
- %TEMP%\{107d6b79-24ae-69c0-2685-0920ba394217}\set50e2.tmp
- %TEMP%\{107d6b79-24ae-69c0-2685-0920ba394217}\set52a8.tmp
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat
- %WINDIR%\temp\uddaa8a.tmp
- %ProgramFiles%\openvpn\autoit3.exe
- %ProgramFiles%\openvpn\cpau-run.exe
- %ProgramFiles%\openvpn\cpau.exe
- %ProgramFiles%\openvpn\cpau.job
- %ProgramFiles%\openvpn\devcon32.exe
- %ProgramFiles%\openvpn\devcon64.exe
- %ProgramFiles%\openvpn\hidec.exe
- %ProgramFiles%\openvpn\libeay32.dll
- %ProgramFiles%\openvpn\liblzo2-2.dll
- %ProgramFiles%\openvpn\libpkcs11-helper-1.dll
- %ProgramFiles%\openvpn\openssl.exe
- %ProgramFiles%\openvpn\openvpn-gui.exe
- %ProgramFiles%\openvpn\openvpn-run.exe
- %ProgramFiles%\openvpn\tap\x64\tap0901.sys
- %ProgramFiles%\openvpn\tap\x64\tap0901.cat
- %ProgramFiles%\openvpn\tap\x64\oemwin2k.inf
- %ProgramFiles%\openvpn\tap\x32\tap0901.sys
- %ProgramFiles%\openvpn\tap\x32\tap0901.cat
- %ProgramFiles%\openvpn\tap\x32\oemwin2k.inf
- %ProgramFiles%\openvpn\tapdel.bat
- %ProgramFiles%\openvpn\config\ivpetrushin.ovpn
- %ProgramFiles%\openvpn\tapadd.cer
- %ProgramFiles%\openvpn\tapadd.bat
- %ProgramFiles%\openvpn\tapadd.au3
- %ProgramFiles%\openvpn\ssleay32.dll
- %ProgramFiles%\openvpn\openvpn.ico
- %ProgramFiles%\openvpn\openvpn.exe
- %PROGRAMDATA%\microsoft\windows\start menu\programs\openvpn.lnk
- %TEMP%\{107d6b79-24ae-69c0-2685-0920ba394217}\set5006.tmp
- nul
- %TEMP%\openvpn\shortcut.vbs
- %TEMP%\openvpn\sources\make.bat
- %TEMP%\openvpn\files\tapadd.bat
- %TEMP%\openvpn\files\tapdel.bat
- %TEMP%\openvpn\files\tap\x32\oemwin2k.inf
- %TEMP%\openvpn\files\tap\x64\oemwin2k.inf
- %TEMP%\openvpn\files\autoit3.exe
- %TEMP%\openvpn\files\cpau-run.exe
- %TEMP%\openvpn\files\cpau.exe
- %TEMP%\openvpn\files\devcon32.exe
- %TEMP%\openvpn\files\devcon64.exe
- %TEMP%\openvpn\files\hidec.exe
- %TEMP%\openvpn\files\openssl.exe
- %TEMP%\openvpn\files\openvpn-gui.exe
- %TEMP%\openvpn\files\openvpn-run.exe
- %TEMP%\openvpn\files\openvpn.exe
- %TEMP%\openvpn\files\libeay32.dll
- %TEMP%\openvpn\files\liblzo2-2.dll
- %TEMP%\openvpn\files\cpau.job
- %TEMP%\openvpn\files\openvpn.ico
- %TEMP%\openvpn\sources\openvpn-run.ico
- %TEMP%\openvpn\sources\cpau-run.ico
- %TEMP%\openvpn\sources\openvpn-run.cs
- %TEMP%\openvpn\sources\cpau-run.cs
- %TEMP%\openvpn\files\tap\x64\tap0901.cat
- %TEMP%\openvpn\files\tapadd.cer
- %TEMP%\openvpn\files\tap\x32\tap0901.cat
- %TEMP%\openvpn\files\tapadd.au3
- %TEMP%\openvpn\files\tap\x64\tap0901.sys
- %TEMP%\openvpn\files\tap\x32\tap0901.sys
- %TEMP%\openvpn\files\ssleay32.dll
- %TEMP%\openvpn\files\libpkcs11-helper-1.dll
- %TEMP%\openvpn\files\config\ivpetrushin.ovpn
- C:\users\public\desktop\openvpn.lnk
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat
- %TEMP%\{107d6b79-24ae-69c0-2685-0920ba394217}\oemwin2k.inf
- %TEMP%\openvpn\sources\cpau-run.ico
- %TEMP%\openvpn\sources\cpau-run.cs
- %TEMP%\openvpn\shortcut.vbs
- %TEMP%\openvpn\files\tapdel.bat
- %TEMP%\openvpn\files\tapadd.cer
- %TEMP%\openvpn\files\tapadd.bat
- %TEMP%\openvpn\files\tapadd.au3
- %TEMP%\openvpn\files\tap\x64\tap0901.sys
- %TEMP%\openvpn\files\tap\x64\tap0901.cat
- %TEMP%\openvpn\files\tap\x64\oemwin2k.inf
- %TEMP%\openvpn\files\tap\x32\tap0901.sys
- %TEMP%\openvpn\files\tap\x32\tap0901.cat
- %TEMP%\openvpn\files\tap\x32\oemwin2k.inf
- %TEMP%\openvpn\sources\make.bat
- %TEMP%\openvpn\files\ssleay32.dll
- %TEMP%\openvpn\files\openvpn.exe
- %TEMP%\openvpn\files\openssl.exe
- %TEMP%\openvpn\files\libeay32.dll
- %TEMP%\openvpn\files\hidec.exe
- %TEMP%\openvpn\files\devcon64.exe
- %TEMP%\openvpn\files\devcon32.exe
- %TEMP%\openvpn\files\cpau.job
- %TEMP%\openvpn\files\cpau.exe
- %TEMP%\openvpn\files\cpau-run.exe
- %TEMP%\openvpn\files\autoit3.exe
- %WINDIR%\temp\uddaa8a.tmp
- %TEMP%\{107d6b79-24ae-69c0-2685-0920ba394217}\tap0901.sys
- %TEMP%\{107d6b79-24ae-69c0-2685-0920ba394217}\tap0901.cat
- %TEMP%\openvpn\files\openvpn.ico
- %TEMP%\openvpn\sources\openvpn-run.cs
- from %TEMP%\{107d6b79-24ae-69c0-2685-0920ba394217}\set5006.tmp to %TEMP%\{107d6b79-24ae-69c0-2685-0920ba394217}\oemwin2k.inf
- from %TEMP%\{107d6b79-24ae-69c0-2685-0920ba394217}\set50e2.tmp to %TEMP%\{107d6b79-24ae-69c0-2685-0920ba394217}\tap0901.cat
- from %TEMP%\{107d6b79-24ae-69c0-2685-0920ba394217}\set52a8.tmp to %TEMP%\{107d6b79-24ae-69c0-2685-0920ba394217}\tap0901.sys
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- DNS ASK microsoft.com
- ClassName: 'EDIT' WindowName: ''
- ClassName: '' WindowName: ''
- '%TEMP%\openvpn\files\hidec.exe' "<SYSTEM32>\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "%TEMP%\OpenVPN""
- '%TEMP%\openvpn\files\devcon64.exe' remove "tap0901"
- '%TEMP%\openvpn\files\devcon64.exe' remove "tap0801"
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\OpenVPN\shortcut.vbs" "" "AllUsersPrograms" "OpenVPN"
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\OpenVPN\shortcut.vbs" "" "AllUsersDesktop" "OpenVPN"
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\OpenVPN\shortcut.vbs" "" "Desktop" "OpenVPN"
- '%TEMP%\openvpn\files\autoit3.exe' "tapadd.au3"
- '%TEMP%\openvpn\files\devcon64.exe' install "%TEMP%\OpenVPN\Files\tap\x64\oemwin2k.inf" "tap0901"
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\OpenVPN\shortcut.vbs" "%ProgramFiles%\OpenVPN\cpau-run.exe" "AllUsersPrograms" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "%ProgramFiles%\OpenVPN\openvpn.ico"
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\OpenVPN\shortcut.vbs" "%ProgramFiles%\OpenVPN\cpau-run.exe" "AllUsersDesktop" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "%ProgramFiles%\OpenVPN\openvpn.ico"
- '%WINDIR%\syswow64\cmd.exe' /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "%TEMP%\OpenVPN""' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "%TEMP%\OpenVPN""
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "exe_path" /T REG_SZ /D "%ProgramFiles%\OpenVPN\openvpn.exe" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_dir" /T REG_SZ /D "%ProgramFiles%\OpenVPN\log" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_append" /T REG_SZ /D "0" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_view" /T REG_SZ /D "0" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_edit" /T REG_SZ /D "0" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_service" /T REG_SZ /D "0" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_proxy" /T REG_SZ /D "1" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_password" /T REG_SZ /D "0" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_viewer" /T REG_SZ /D "hidec.exe" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /V "%ProgramFiles%\OpenVPN\openvpn-gui.exe" /T REG_SZ /D "RUNASADMIN" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "passphrase_attempts" /T REG_SZ /D "3" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "editor" /T REG_SZ /D "notepad.exe" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "connectscript_timeout" /T REG_SZ /D "15" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnectscript_timeout" /T REG_SZ /D "10" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "preconnectscript_timeout" /T REG_SZ /D "10" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "silent_connection" /T REG_SZ /D "0" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_balloon" /T REG_SZ /D "1" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_script_window" /T REG_SZ /D "1" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnect_on_suspend" /T REG_SZ /D "1" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_ext" /T REG_SZ /D "ovpn" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "service_only" /T REG_SZ /D "0" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_dir" /T REG_SZ /D "%ProgramFiles%\OpenVPN\config" /F
- '%WINDIR%\syswow64\find.exe' /I "successfully"
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\SYSTEM\CurrentControlSet\Services\tap0801" /F
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\SOFTWARE\OpenVPN" /F
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\SOFTWARE\OpenVPN-GUI" /F
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /F
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /F
- '%WINDIR%\syswow64\reg.exe' delete "HKCR\.ovpn" /F
- '%WINDIR%\syswow64\reg.exe' delete "HKCR\OpenVPN" /F
- '%WINDIR%\syswow64\reg.exe' delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ovpn" /F
- '%WINDIR%\syswow64\certutil.exe' -addstore "TrustedPublisher" "%TEMP%\OpenVPN\Files\\tapadd.cer"
- '%WINDIR%\syswow64\cmd.exe' /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_append" /T REG_SZ /D "0" /F
- '%WINDIR%\syswow64\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011" /V "Characteristics" /T REG_DWORD /D "0x89" /F
- '%WINDIR%\syswow64\xcopy.exe' /E /C /Q /H /R /Y /Z "%TEMP%\OpenVPN\Files" "%ProgramFiles%\OpenVPN\"
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /VE /T REG_SZ /D "%ProgramFiles%\OpenVPN" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_dir" /T REG_SZ /D "%ProgramFiles%\OpenVPN\config" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_ext" /T REG_SZ /D "ovpn" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "exe_path" /T REG_SZ /D "%ProgramFiles%\OpenVPN\openvpn.exe" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_dir" /T REG_SZ /D "%ProgramFiles%\OpenVPN\log" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /VE /T REG_SZ /D "%ProgramFiles%\OpenVPN" /F
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 11