Play interactive tour

Edit tour

Analysis Report $RDPLVFM.exe

Overview

General Information

Sample Name:	$RDPLVFM.exe
Analysis ID:	392874
MD5:	9cbcd1d8dae34cd6cc49460103e521c4
SHA1:	b07e7b15752e1e25dd1e9fd480cacd5f3a79c5de
SHA256:	a9497a467b5846d60f2c12a3fd03c4fce70e38a7237a916d93ee440048b9c59b
Infos:
Most interesting Screenshot:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Binary is likely a compiled AutoIt script file

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

$RDPLVFM.exe (PID: 7136 cmdline: 'C:\Users\user\Desktop\$RDPLVFM.exe' MD5: 9CBCD1D8DAE34CD6CC49460103E521C4)

7za.exe (PID: 6420 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe x -y patchfiles.zip MD5: 0184E6EBE133EF41A8CC6EF98A263712)

conhost.exe (PID: 2804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

alp.exe (PID: 6752 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe MD5: BF506999F29EAAB4910A08ED740C12FB)

rundll32.exe (PID: 5940 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\' MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\www\db\config\ajax.php	webshell_php_generic_tiny	php webshell having some kind of input and some kind of payload. restricted to small files or would give lots of false positives	Arnim Rupp	0x0:$php_short: <? 0x0:$php_new2: <?php 0x10:$inp3: _POST[ 0x33:$cpayload4: passthru(" 0x7f:$cpayload4: passthru(" 0xbb:$cpayload4: passthru(" 0x10d:$cpayload4: passthru(" 0x164:$cpayload4: passthru("
C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\www\db\chip\dataupd.php	webshell_php_generic_tiny	php webshell having some kind of input and some kind of payload. restricted to small files or would give lots of false positives	Arnim Rupp	0x0:$php_short: <? 0x0:$php_new2: <?php 0x94:$inp3: _POST[ 0xb8:$inp3: _POST[ 0xd6:$inp3: _POST[ 0xf7:$inp3: _POST[ 0x129:$inp3: _POST[ 0x153:$inp3: _POST[ 0x187:$inp3: _POST[ 0x1aa:$inp3: _POST[ 0x1df:$inp3: _POST[ 0x212:$inp3: _POST[ 0x259:$inp3: _POST[ 0x28b:$inp3: _POST[ 0x2b4:$inp3: _POST[ 0x2f1:$inp3: _POST[ 0x329:$inp3: _POST[ 0x365:$inp3: _POST[ 0x38a:$inp3: _POST[ 0x3be:$inp3: _POST[ 0x3d7:$cpayload2: exec($
C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\www\ajax\logfile.php	webshell_php_generic_tiny	php webshell having some kind of input and some kind of payload. restricted to small files or would give lots of false positives	Arnim Rupp	0x0:$php_short: <? 0x0:$php_new2: <?php 0xf8:$inp2: _GET[ 0xb8:$inp3: _POST[ 0x355:$cpayload2: exec("
C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\www\db\chip\index.php	webshell_phpshell3	Web Shell - file phpshell3.php	Florian Roth	0x4741:$s2: <input name="nounce" type="hidden" value="<?php echo $_SESSION['nounce']; 0x2746:$s7: $_SESSION['output'] .= "cd: could not change to: $new_dir\n";

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: $RDPLVFM.exe

Virustotal: Detection: 11%

Perma Link

Source: $RDPLVFM.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wextract.pdb source: $RDPLVFM.exe
Source:	Binary string: wextract.pdbGCTL source: $RDPLVFM.exe

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00405FB7 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00407D3F FindFirstFileW,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lang.ini
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	File opened: C:\Users\user\

Source: status.php.2.dr	String found in binary or memory: http://192.168.0.100/
Source: crypt.php.2.dr	String found in binary or memory: http://aspirine.org/htpasswd_en.html
Source: libcurl.so.4.2.dr	String found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
Source: documentation.php.2.dr	String found in binary or memory: http://docs.allnetnetworks.com/
Source: documentation.php.2.dr	String found in binary or memory: http://docs.allnetnetworks.com/check.php
Source: documentation.php.2.dr	String found in binary or memory: http://docs.allnetnetworks.com/direct.php
Source: crypt.php.2.dr	String found in binary or memory: http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
Source: jquery-ui-1.11.4.custom.min.css.2.dr	String found in binary or memory: http://jqueryui.com
Source: jquery-ui-1.11.4.custom.min.css.2.dr	String found in binary or memory: http://jqueryui.com/themeroller/?ffDefault=Arial%2C%20Helvetica%2C%20sans-serif&fwDefault=normal&fsD
Source: jquery.blockUI.min.js.2.dr	String found in binary or memory: http://malsup.com/jquery/block/
Source: 7za.exe, 00000002.00000003.645520903.00000000007C0000.00000004.00000001.sdmp	String found in binary or memory: http://openweathermap.org/
Source: crypt.php.2.dr	String found in binary or memory: http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co
Source: jquery.timepicker.min.js.2.dr	String found in binary or memory: http://trentrichardson.com/examples/timepicker
Source: jquery.simplecolorpicker.css.2.dr	String found in binary or memory: http://twitter.github.com/bootstrap/assets/css/bootstrap.css
Source: test_connection.sh.2.dr	String found in binary or memory: http://www.allnet.de
Source: about.html.2.dr	String found in binary or memory: http://www.allnet.de/gpl.html
Source: alp.exe, 00000006.00000000.648836045.0000000000FB4000.00000002.00020000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/R
Source: crypt.php.2.dr	String found in binary or memory: http://www.cryptologie.net/article/126/bruteforce-apr1-hashes/
Source: openssl.cnf.2.dr	String found in binary or memory: http://www.domain.dom/ca-crl.pem
Source: jquery.download.js.2.dr	String found in binary or memory: http://www.filamentgroup.com
Source: jquery.download.js.2.dr	String found in binary or memory: http://www.filamentgroup.com/lab/jquery_plugin_for_requesting_ajax_like_file_downloads/
Source: about.html.2.dr	String found in binary or memory: http://www.flotcharts.org/
Source: jquery-ui.icon-font.css.2.dr, jquery.blockUI.min.js.2.dr	String found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: test_connection.sh.2.dr	String found in binary or memory: http://www.google.de
Source: access_log.conf.2.dr	String found in binary or memory: http://www.lighttpd.net/documentation/access.html
Source: jquery.blockUI.min.js.2.dr	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: libcrypto.so.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: libcrypto.so.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
Source: crypt.php.2.dr	String found in binary or memory: http://www.php.net/manual/en/function.crypt.php#73619
Source: jquery.short_cuts.js.2.dr	String found in binary or memory: http://www.stepanreznikov.com/js-shortcuts/
Source: lang_fr.ini.2.dr	String found in binary or memory: http://www.wetter.com/wetter_rss/wetter.xml)
Source: 7za.exe, 00000002.00000003.645520903.00000000007C0000.00000004.00000001.sdmp, jsonswitch.php.2.dr	String found in binary or memory: https://192.168.1.19/xml/jsonswitch.php?id=168&set=8.8&fading=16.9
Source: jquery-ui.icon-font.css.2.dr	String found in binary or memory: https://creativecommons.org/licenses/by-sa/3.0/
Source: about.html.2.dr	String found in binary or memory: https://github.com/HanSolo/SteelSeries-Canvas/
Source: about.html.2.dr	String found in binary or memory: https://github.com/flot/flot/blob/master/LICENSE.txt
Source: jquery.simplecolorpicker.css.2.dr	String found in binary or memory: https://github.com/twitter/bootstrap/blob/master/less/dropdowns.less
Source: crypt.php.2.dr	String found in binary or memory: https://github.com/whitehat101/apr1-md5
Source: ca-certificates.crt.2.dr	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/cert
Source: about.html.2.dr	String found in binary or memory: https://jquery.com/
Source: about.html.2.dr	String found in binary or memory: https://jquery.org/license/
Source: about.html.2.dr	String found in binary or memory: https://plus.google.com/105784522827877256999
Source: checkupdate.sh.2.dr	String found in binary or memory: https://update.allnet.de/
Source: offlineupdate.sh.2.dr	String found in binary or memory: https://update.allnet.de/v3/

Source: 7za.exe, 00000002.00000002.646626684.00000000007DA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\www\db\chip\index.php, type: DROPPED

Matched rule: Web Shell - file phpshell3.php Author: Florian Roth

Binary is likely a compiled AutoIt script file

Show sources

Source: alp.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: alp.exe, 00000006.00000000.648738365.0000000000F9E000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe

Code function: 2_2_004084D7: DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00468500
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_004559DF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0041B079
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0045B5AB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00488250
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0046C350
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00478490
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_004785A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_004089A6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0043CAE1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0047CD68
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00404E85
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0044D018
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0048D0D3
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00445081
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_004750A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0048D261
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00481290
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0048D33B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0048D421
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0047D4D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_004015C8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_004019BD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00471A00
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00475C80
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00471D10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00475D80
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00469EC0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0047DE90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00465FE0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_004221D5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_004721A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0045E376
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0044E32B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00486460
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Code function: 6_2_00F1B043
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Code function: 6_2_00F2410F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Code function: 6_2_00F03200
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Code function: 6_2_00F24BEF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Code function: 6_2_00EFE3B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Code function: 6_2_00EF9B60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Code function: 6_2_00F0F563
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Code function: 6_2_00F19ED0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Code function: 6_2_00EF77B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Code function: 6_2_00EF6F07

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: String function: 00401CEB appears 121 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: String function: 0048C9C0 appears 430 times

Source: $RDPLVFM.exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 7557622 bytes, 9 files

Source: $RDPLVFM.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: $RDPLVFM.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: $RDPLVFM.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: alp.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: alp.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: alp.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: alp.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: alp.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: alp.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: $RDPLVFM.exe, 00000000.00000003.638525072.000002368D6D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename7za.exe, vs $RDPLVFM.exe
Source: $RDPLVFM.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs $RDPLVFM.exe
Source: $RDPLVFM.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE D vs $RDPLVFM.exe

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\www\db\config\ajax.php, type: DROPPED	Matched rule: webshell_php_generic_tiny date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or would give lots of false positives, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\www\db\chip\dataupd.php, type: DROPPED	Matched rule: webshell_php_generic_tiny date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or would give lots of false positives, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\www\ajax\logfile.php, type: DROPPED	Matched rule: webshell_php_generic_tiny date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or would give lots of false positives, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\www\db\chip\index.php, type: DROPPED	Matched rule: webshell_phpshell3 date = 2014/01/28, author = Florian Roth, description = Web Shell - file phpshell3.php, score = 76117b2ee4a7ac06832d50b2d04070b8

Source: classification engine

Classification label: mal60.winEXE@7/561@0/0

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe

Code function: 6_2_00F3CE7A GetLastError,FormatMessageW,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00408598 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0041A004 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe

Code function: 2_2_004084D7 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe

Code function: 6_2_00F36532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe

Code function: 6_2_00EF406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2804:120:WilError_01

Source: C:\Users\user\Desktop\$RDPLVFM.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: $RDPLVFM.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe

File read: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lang.ini

Jump to behavior

Source: C:\Users\user\Desktop\$RDPLVFM.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\'

Source: sqldb_write.2.dr	Binary or memory string: SELECT value FROM config WHERE tag='%s';%sINSERT INTO config (tag,value) values ('%s','%s');UPDATE config SET value='%s' where tag='%s';Y@@?
Source: timer_demon.2.dr	Binary or memory string: INSERT INTO config (tag,value) values ('%s','%s');UPDATE config SET value='%s' where tag='%s';%4.2f%ld* SQLDB_READ_STRING ERROR: LOCKED ! SQL="%s" *
Source: sqldb_write.2.dr	Binary or memory string: SELECT value FROM config WHERE tag='%s';
Source: restore.sql.2.dr	Binary or memory string: INSERT or REPLACE INTO frontend select * from merge.frontend;
Source: i2c_demon.2.dr	Binary or memory string: CREATE TABLE [i2c_new] ([id] INTEGER NOT NULL PRIMARY KEY, [chip_number] INTEGER NOT NULL DEFAULT '0',[chip_address] INTEGER NOT NULL DEFAULT '0',[i2c_bus] INTEGER NOT NULL DEFAULT '0',[i2c_group] INTEGER NOT NULL DEFAULT '0',[i2c_port] INTEGER NOT NULL DEFAULT '0',[i2c_mux_enabled] INTEGER NOT NULL DEFAULT '0',[i2c_mux_port] INTEGER NOT NULL DEFAULT '0',[timestamp] TEXT NOT NULL DEFAULT '00000000', [comment] TEXT default '');
Source: restore.sql.2.dr	Binary or memory string: INSERT or REPLACE INTO sensors_logical select * from merge.sensors_logical;
Source: restore.sql.2.dr	Binary or memory string: INSERT or REPLACE INTO timer select * from merge.timer;
Source: update_demon.2.dr	Binary or memory string: INSERT INTO config (tag,value) values ('%s','%s');UPDATE config SET value='%s' where tag='%s';%4.2f/etc/allnetenv/config.s3db* SQLDB_READ_STRING ERROR: LOCKED ! SQL="%s" *
Source: restore.sql.2.dr	Binary or memory string: INSERT or REPLACE INTO users select * from merge.users;
Source: sqldb_write.2.dr	Binary or memory string: UPDATE config SET value='%s' where tag='%s';
Source: sqldb_write.2.dr	Binary or memory string: INSERT INTO config (tag,value) values ('%s','%s');
Source: i2c_demon.2.dr	Binary or memory string: INSERT INTO config (tag,value) values ('%s','%s');UPDATE config SET value='%s' where tag='%s';%4.2f* SQLDB_READ_STRING ERROR: LOCKED ! SQL="%s" *
Source: restore.sql.2.dr	Binary or memory string: INSERT or REPLACE INTO external select * from merge.external;
Source: i2c_demon.2.dr	Binary or memory string: CREATE TABLE [i2c_all] ([id] INTEGER NOT NULL PRIMARY KEY, [chip_number] INTEGER NOT NULL DEFAULT '0',[chip_address] INTEGER NOT NULL DEFAULT '0',[i2c_bus] INTEGER NOT NULL DEFAULT '0',[i2c_group] INTEGER NOT NULL DEFAULT '0',[i2c_port] INTEGER NOT NULL DEFAULT '0',[i2c_mux_enabled] INTEGER NOT NULL DEFAULT '0',[i2c_mux_port] INTEGER NOT NULL DEFAULT '0',[external_dbid] INTEGER NOT NULL DEFAULT '0',[timestamp] TEXT NOT NULL DEFAULT '00000000', [comment] TEXT default '');
Source: query_resetbutton.2.dr	Binary or memory string: INSERT INTO config (tag,value) values ('%s','%s');UPDATE config SET value='%s' where tag='%s';%4.2f%ld/etc/allnetenv/config.s3db* SQLDB_READ_STRING ERROR: LOCKED ! SQL="%s" *
Source: restore.sql.2.dr	Binary or memory string: INSERT or REPLACE INTO mapping select * from merge.mapping;
Source: restore.sql.2.dr	Binary or memory string: INSERT or REPLACE INTO config select * from merge.config;
Source: restore.sql.2.dr	Binary or memory string: INSERT or REPLACE INTO camera_upload select * from merge.camera_upload;
Source: restore.sql.2.dr	Binary or memory string: INSERT or REPLACE INTO matrix select * from merge.matrix;

Source: $RDPLVFM.exe

Virustotal: Detection: 11%

Source: unknown	Process created: C:\Users\user\Desktop\$RDPLVFM.exe 'C:\Users\user\Desktop\$RDPLVFM.exe'
Source: C:\Users\user\Desktop\$RDPLVFM.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe x -y patchfiles.zip
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\$RDPLVFM.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\'
Source: C:\Users\user\Desktop\$RDPLVFM.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe x -y patchfiles.zip
Source: C:\Users\user\Desktop\$RDPLVFM.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe

Source: C:\Users\user\Desktop\$RDPLVFM.exe

File written: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lang.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe

Window found: window name: SysTabControl32

Source: $RDPLVFM.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: $RDPLVFM.exe

Static file information: File size 7715840 > 1048576

Source: $RDPLVFM.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x751400

Source: $RDPLVFM.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: $RDPLVFM.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: $RDPLVFM.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: $RDPLVFM.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: $RDPLVFM.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: $RDPLVFM.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: $RDPLVFM.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: $RDPLVFM.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: $RDPLVFM.exe
Source:	Binary string: wextract.pdbGCTL source: $RDPLVFM.exe

Source: $RDPLVFM.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: $RDPLVFM.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: $RDPLVFM.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: $RDPLVFM.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: $RDPLVFM.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: $RDPLVFM.exe

Static PE information: 0xE68AAE13 [Fri Jul 25 18:16:51 2092 UTC]

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe

Code function: 6_2_00F23920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

Source: alp.exe.0.dr

Static PE information: real checksum: 0xf38fa should be: 0xfdcb3

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0048C9C0 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_0048CD70 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Code function: 6_2_00F16B05 push ecx; ret

Source: C:\Users\user\Desktop\$RDPLVFM.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\plink.exe
Source: C:\Users\user\Desktop\$RDPLVFM.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\pscp.exe
Source: C:\Users\user\Desktop\$RDPLVFM.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Jump to dropped file
Source: C:\Users\user\Desktop\$RDPLVFM.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Jump to dropped file

Source: C:\Users\user\Desktop\$RDPLVFM.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\$RDPLVFM.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\$RDPLVFM.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\$RDPLVFM.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Window / User API: threadDelayed 9998
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Window / User API: foregroundWindowGot 500
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Window / User API: foregroundWindowGot 1274

Source: C:\Users\user\Desktop\$RDPLVFM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\plink.exe
Source: C:\Users\user\Desktop\$RDPLVFM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\pscp.exe

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe TID: 6748

Thread sleep time: -99980s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe

Thread sleep count: Count: 9998 delay: -10

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00405FB7 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	Code function: 2_2_00407D3F FindFirstFileW,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe

Code function: 2_2_00408D40 GetSystemInfo,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lang.ini
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	File opened: C:\Users\user\

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe

Code function: 6_2_00F23920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe

Code function: 6_2_00F23920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe

Code function: 6_2_00F23920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe

Code function: 6_2_00F26F40 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe

Code function: 6_2_00F181AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: $RDPLVFM.exe, 00000000.00000002.1160682065.000002368DB40000.00000002.00000001.sdmp, alp.exe, 00000006.00000002.1162446635.0000000001FD0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: $RDPLVFM.exe, 00000000.00000002.1160682065.000002368DB40000.00000002.00000001.sdmp, alp.exe, 00000006.00000002.1162446635.0000000001FD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: $RDPLVFM.exe, 00000000.00000002.1160682065.000002368DB40000.00000002.00000001.sdmp, alp.exe, 00000006.00000002.1162446635.0000000001FD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: alp.exe, 00000006.00000000.648738365.0000000000F9E000.00000002.00020000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: $RDPLVFM.exe, 00000000.00000002.1160682065.000002368DB40000.00000002.00000001.sdmp, alp.exe, 00000006.00000002.1162446635.0000000001FD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\$RDPLVFM.exe

Code function: 0_2_00007FF63C4B80F0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Virtualization/Sandbox Evasion2	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection2	Access Token Manipulation1	LSASS Memory	Security Software Discovery3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Process Injection2	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rundll321	Cached Domain Credentials	File and Directory Discovery4	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	System Information Discovery4	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
$RDPLVFM.exe	12%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe	8%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.cryptologie.net/article/126/bruteforce-apr1-hashes/	0%	Avira URL Cloud	safe
http://docs.allnetnetworks.com/direct.php	0%	Avira URL Cloud	safe
http://www.domain.dom/ca-crl.pem	0%	Avira URL Cloud	safe
http://docs.allnetnetworks.com/	0%	Avira URL Cloud	safe
http://www.stepanreznikov.com/js-shortcuts/	0%	Avira URL Cloud	safe
https://192.168.1.19/xml/jsonswitch.php?id=168&set=8.8&fading=16.9	0%	Avira URL Cloud	safe
http://docs.allnetnetworks.com/check.php	0%	Avira URL Cloud	safe
http://192.168.0.100/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.cryptologie.net/article/126/bruteforce-apr1-hashes/	crypt.php.2.dr	false	Avira URL Cloud: safe	unknown
http://www.filamentgroup.com	jquery.download.js.2.dr	false		high
https://update.allnet.de/v3/	offlineupdate.sh.2.dr	false		high
http://www.autoitscript.com/autoit3/R	alp.exe, 00000006.00000000.648836045.0000000000FB4000.00000002.00020000.sdmp	false		high
http://www.wetter.com/wetter_rss/wetter.xml)	lang_fr.ini.2.dr	false		high
http://docs.allnetnetworks.com/direct.php	documentation.php.2.dr	false	Avira URL Cloud: safe	unknown
http://www.domain.dom/ca-crl.pem	openssl.cnf.2.dr	false	Avira URL Cloud: safe	unknown
http://jqueryui.com	jquery-ui-1.11.4.custom.min.css.2.dr	false		high
http://www.lighttpd.net/documentation/access.html	access_log.conf.2.dr	false		high
https://jquery.org/license/	about.html.2.dr	false		high
https://github.com/whitehat101/apr1-md5	crypt.php.2.dr	false		high
https://github.com/HanSolo/SteelSeries-Canvas/	about.html.2.dr	false		high
http://www.allnet.de	test_connection.sh.2.dr	false		high
http://docs.allnetnetworks.com/	documentation.php.2.dr	false	Avira URL Cloud: safe	unknown
https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/cert	ca-certificates.crt.2.dr	false		high
http://www.openssl.org/support/faq.html	libcrypto.so.2.dr	false		high
http://curl.haxx.se/docs/http-cookies.html	libcurl.so.4.2.dr	false		high
http://twitter.github.com/bootstrap/assets/css/bootstrap.css	jquery.simplecolorpicker.css.2.dr	false		high
http://www.php.net/manual/en/function.crypt.php#73619	crypt.php.2.dr	false		high
http://www.stepanreznikov.com/js-shortcuts/	jquery.short_cuts.js.2.dr	false	Avira URL Cloud: safe	unknown
http://aspirine.org/htpasswd_en.html	crypt.php.2.dr	false		high
https://github.com/flot/flot/blob/master/LICENSE.txt	about.html.2.dr	false		high
http://www.opensource.org/licenses/mit-license.php	jquery.blockUI.min.js.2.dr	false		high
https://update.allnet.de/	checkupdate.sh.2.dr	false		high
http://www.openssl.org/support/faq.htmlRAND	libcrypto.so.2.dr	false		high
https://creativecommons.org/licenses/by-sa/3.0/	jquery-ui.icon-font.css.2.dr	false		high
http://jqueryui.com/themeroller/?ffDefault=Arial%2C%20Helvetica%2C%20sans-serif&fwDefault=normal&fsD	jquery-ui-1.11.4.custom.min.css.2.dr	false		high
https://192.168.1.19/xml/jsonswitch.php?id=168&set=8.8&fading=16.9	7za.exe, 00000002.00000003.645520903.00000000007C0000.00000004.00000001.sdmp, jsonswitch.php.2.dr	false	Avira URL Cloud: safe	unknown
http://www.google.de	test_connection.sh.2.dr	false		high
https://jquery.com/	about.html.2.dr	false		high
http://www.filamentgroup.com/lab/jquery_plugin_for_requesting_ajax_like_file_downloads/	jquery.download.js.2.dr	false		high
http://www.allnet.de/gpl.html	about.html.2.dr	false		high
http://malsup.com/jquery/block/	jquery.blockUI.min.js.2.dr	false		high
http://docs.allnetnetworks.com/check.php	documentation.php.2.dr	false	Avira URL Cloud: safe	unknown
http://192.168.0.100/	status.php.2.dr	false	Avira URL Cloud: safe	unknown
http://www.gnu.org/licenses/gpl.html	jquery-ui.icon-font.css.2.dr, jquery.blockUI.min.js.2.dr	false		high
https://github.com/twitter/bootstrap/blob/master/less/dropdowns.less	jquery.simplecolorpicker.css.2.dr	false		high
http://httpd.apache.org/docs/2.2/misc/password_encryptions.html	crypt.php.2.dr	false		high
http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co	crypt.php.2.dr	false		high
http://openweathermap.org/	7za.exe, 00000002.00000003.645520903.00000000007C0000.00000004.00000001.sdmp	false		high
http://trentrichardson.com/examples/timepicker	jquery.timepicker.min.js.2.dr	false		high
http://www.flotcharts.org/	about.html.2.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	392874
Start date:	19.04.2021
Start time:	23:29:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 45s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	$RDPLVFM.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.winEXE@7/561@0/0
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 0.4% (good quality ratio 0.3%) Quality average: 70% Quality standard deviation: 31.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, wermgr.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Created / dropped Files have been reduced to 100 Execution Graph export aborted for target $RDPLVFM.exe, PID 7136 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe	IEUser.exe	Get hash	malicious	Browse
	2018_19_S1_A1.exe	Get hash	malicious	Browse
	2018_19_S1_A1.exe	Get hash	malicious	Browse
	2018_19_S1_A1.exe	Get hash	malicious	Browse
	CDaNsQ7Rrd.exe	Get hash	malicious	Browse
	runme.exe	Get hash	malicious	Browse
	tes2.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe Download File
Process:	C:\Users\user\Desktop\$RDPLVFM.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	690688
Entropy (8bit):	6.581619840895496
Encrypted:	false
SSDEEP:	12288:rmJysC11szmzqS/Vf3gny3MhcGsnWrfATfkeafIO3rn1ExwnZE1f:r9s/zmT/my8zoW6ff4rn1ExwZE
MD5:	0184E6EBE133EF41A8CC6EF98A263712
SHA1:	CB9F603E061AEF833A2DB501AA8BA6BA007D768E
SHA-256:	DD6D7AF00EF4CA89A319A230CDD094275C3A1D365807FE5B34133324BDAA0229
SHA-512:	6FEC04E7369858970063E94358AEC7FE872886B5EA440B4A11713B08511BA3EBE8F3D9312E32883B38BAE66E42BC8E208E11678C383A5AD0F7CC0ABE29C3A8ED
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: IEUser.exe, Detection: malicious, Browse Filename: 2018_19_S1_A1.exe, Detection: malicious, Browse Filename: 2018_19_S1_A1.exe, Detection: malicious, Browse Filename: 2018_19_S1_A1.exe, Detection: malicious, Browse Filename: CDaNsQ7Rrd.exe, Detection: malicious, Browse Filename: runme.exe, Detection: malicious, Browse Filename: tes2.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,"..Bq..Bq..Bq..Nq.Bq..Iq.BqB.Lq.Bq..Hq.Bq..Fq.BqO..q..Bq..CqN.BqB..q.Bq..Iqy.Bq...q.Bq...q.Bq..Dq..BqRich..Bq........................PE..L...+.Y........../......8...................P....@..........................@..............................................,...x....0..@............................................................................P..(............................text....7.......8.................. ..`.rdata...@...P...B...<..............@..@.data....r...........~..............@....sxdata...... ......................@....rsrc...@....0......................@..@........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\allnet.ico Download File
Process:	C:\Users\user\Desktop\$RDPLVFM.exe
File Type:	MS Windows icon resource - 1 icon, 16x12, 8 bits/pixel
Category:	dropped
Size (bytes):	1326
Entropy (8bit):	3.83221656975948
Encrypted:	false
SSDEEP:	24:QlTYSDdj/lJmJf5Qf1wSy+mH/Mx5dpNqD9a:6jFlYJf6fSSy+KUxDTq
MD5:	6B395E553E4925B2D51F9B545D065867
SHA1:	8A5D106507ADEE4878514AD55CCC332DCA419CDC
SHA-256:	CE16DBE6B0A50CE54A2BD0BBFA86F0E357B94D4327B336686588255749D7A89A
SHA-512:	23B953ED866F4CFFD497FAD72B65653CCDAF1B9A588223F028A0067BDF83E03D8440C377FACAB5448B1A2A3444184591A209F0BC922B90A3C64EFD16298F53BF
Malicious:	false
Reputation:	low
Preview:	......................(.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.au3 Download File
Process:	C:\Users\user\Desktop\$RDPLVFM.exe
File Type:	C source, ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	11337
Entropy (8bit):	5.592504389889568
Encrypted:	false
SSDEEP:	192:0Omn37k80hkTsTdjilUT74yEQCYxiMza8q2T453f5/78aa3qn9d7dQtrVW1SwvGu:0Oi37k80hkUEQCYIGaZI41fBYaa3q9dl
MD5:	D1B3DE90B68F99BAD69B845FFAE0A954
SHA1:	98DFC9B732E9FCF04411C059310BEFF3C987748D
SHA-256:	81318D237D6907B38B7819F5EF738206AFDEBE9ECEC85CC69D9FED13F3B6022A
SHA-512:	99441B6B82081F7D5504279626DE6430C45C21464B0DD2A6CD9A08F45D8431760F785BA225D66F4F8FEFC9F58DDCFE5D902840451243FFABC0C47C701DF7651F
Malicious:	false
Reputation:	low
Preview:	#Region ;** Directives created by AutoIt3Wrapper_GUI ..#AutoIt3Wrapper_Res_Description=ALLNET Local Patcher..#AutoIt3Wrapper_Res_Fileversion=1.2..#AutoIt3Wrapper_Res_LegalCopyright=ALLNET GmbH Computersysteme..#AutoIt3Wrapper_Add_Constants=n..#EndRegion ; Directives created by AutoIt3Wrapper_GUI **..#include <Constants.au3>..#include <AutoItConstants.au3>..#include <MsgBoxConstants.au3>..#include <Array.au3>..#include <ButtonConstants.au3>..#include <EditConstants.au3>..#include <Date.au3>..#include <GUIConstantsEx.au3>..#include <StaticConstants.au3>..#include <TabConstants.au3>..#include <WindowsConstants.au3>..#Region ### START Koda GUI section ### Form=c:\users\normal\desktop\au\lp_form.kxf....Global $iGuiWidth = 323, $iGuiHeight = 233, $iGuiXPos = (@DesktopWidth / 2) - $iGuiWidth / 2, $iGuiYPos = (@DesktopHeight / 2) - $iGuiHeight / 2....Local $lang = IniReadSection(@ScriptDir & "\lang.ini", "de")....Local $source = IniRead(@ScriptDir & "\patch.ini", "path", "source",

C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe Download File
Process:	C:\Users\user\Desktop\$RDPLVFM.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	985600
Entropy (8bit):	6.81888999580384
Encrypted:	false
SSDEEP:	12288:dtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga+TheynGHFTxKXSt6A:dtb20pkaCqT5TBWgNQ7amhrnGRCSt6A
MD5:	BF506999F29EAAB4910A08ED740C12FB
SHA1:	63D54DF698490405F147C020A7EA8835AA41264E
SHA-256:	4A6000E16261941A671473DC67CBE7C7DA90A88A13ACA63E8B2EA1968D9E3AD6
SHA-512:	E2870B422AEF4A95C62F37152D331632B4A59643999DBB73D3F2B93FDAD95ED3D12A9F8D70C19EC06FD366112DD7E0CF1E70B379D11ECCB11C278CDDE05284B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L....^.Y.........."..........P......t_............@..........................p.......8....@...@.......@......................p..\|....@..@y......................Ll..................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc...@y...@...z..................@..@.reloc..t............d..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\lang.ini Download File
Process:	C:\Users\user\Desktop\$RDPLVFM.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.191323439459187
Encrypted:	false
SSDEEP:	24:wWXIW4SPFpuATSgLlqvwMVuE11cRqUPQ7bTWy0+Byvc2JxfJSWt3snnEohbBbf+4:JIgFoA5kI3E11cRnkbTYD7BB3snEmbRl
MD5:	EBD1F6AA84ECA83F3BE7E9D122AD91E8
SHA1:	35FF5533F80EBA4FC23085AC99A95CC60BDEB341
SHA-256:	EA79D91121A27035349BD2D15DDD8B2C5042439EA02B48799A2174E6073B50D0
SHA-512:	B63EB97FF185746DB3EFBE71BBB3E3E4D5A43651100A37704C01385C8115F72B9157DF22EB5350BD6864A1257346A899B31C8DEA9EB04065FD10927783D32B5E
Malicious:	false
Reputation:	low
Preview:	[de]..1=Standard..2=Start..3=Abbrechen..4=Ger.te IP Adresse..5=(z.B. 192.168.0.100)..6=Benutzer..7=Passwort..8=Port..9=Felder leer lassen wenn Standard..10=Pr.fe Ger.t..11=KEINE g.ltige IP-Adresse ..12=Bitte warten.....13=kopiere aktuelle Dateien.....14=Ein Fehler ist aufgetreten..15=Benutzer oder Passwort falsch..16=Falscher Ger.te Typ: Dieser Patch ist nicht geeignet f.r dieses Ger.t..17=Falsche Version: Ger.te Version..18=Ger.t erf.llt nicht die Voraussetzungen: ..19=Ger.t gefunden:..20=Version:..21=Korrigiere Berechtigungen.....22= nicht gefunden!..23=Failed to connect..24=Fertig.....25=Aktualisierung beendet...26=BITTE STARTEN SIE DAS GER.T NEU!!!..27=Erweitert....[en]..1=Standard..2=Start..3=Cancel..4=Device IP Address..5=(e.g. 192.168.0.100)..6=User..7=Password..8=Port..9=Leave fields blank for default..10=Check device accessibility..11=NOT a valid IP address ..12=Please wait.....13=Copy current files.....14=An Error has Occurred..15=User or Password wrong..16=Wrong Devicetype:

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patch.ini Download File
Process:	C:\Users\user\Desktop\$RDPLVFM.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	847
Entropy (8bit):	4.891955094061641
Encrypted:	false
SSDEEP:	12:/XDvOZXFo1BFo9tNPUKA1BF4fpNPUBNBFAfpNPURKxMfm1XXN6vCEN4AGA:/XDOxFoLmrKRLSBKVKBKRAMfmXgakrGA
MD5:	B1D77CA9010A53546B254D33F05EFB3B
SHA1:	2117C34F1599F4A2604E8A61300EDADF635E719F
SHA-256:	35BC69B411F1F551F4D501FE2BEE0880206E9672EEF620C972E470973C63909E
SHA-512:	10D1B439BC734930FA7FD6E6ED648F87DDBEF6F6D4DCB85A116E6B1783D4373B77CFEAE11868C744EC7B78AD2A5503D88D9D5C694907750D10123D2FA578D143
Malicious:	false
Reputation:	low
Preview:	[check]..deviceType=ALL3505..major=3..version=1000..[path]..source=\patchfiles\..target=/..[command]..check=[ -f /etc/default/device ] && { cat /etc/default/device \| tr -d '\n' > /root/info;echo -n '#' >> /root/info;cat /etc/default/version \| tr -d '\n' >> /root/info; } \|\| { /usr/sbin/allnet/sqldb_read /control/devicetype \| tr -d '\n' > /root/info;echo -n '#' >> /root/info;/usr/sbin/allnet/sqldb_read /sys/firmware/versionnum \| tr -d '\n' >> /root/info;echo -n ';' >> /root/info;/usr/sbin/allnet/sqldb_read /sys/firmware/patch \| tr -d '\n' >> /root/info; };cat /root/info;rm -rf /root/info;"..cleanupbefore=/etc/scripts/allnet.sh stop;/etc/scripts/httpd.sh stop;sleep 2;rm -rf /etc/init.d/;rm -rf /etc/scripts/;rm -rf /www;rm -rf /usr/sbin/allnet/;rm -rf /usr/apache;..start=/bin/chmod -R 775 /etc/scripts/*;/etc/scripts/laststate.sh;......

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles.zip Download File
Process:	C:\Users\user\Desktop\$RDPLVFM.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	7888797
Entropy (8bit):	7.984738501222126
Encrypted:	false
SSDEEP:	196608:oeQePs7OSbEb0rOEb0rmWyescTxSyIXmZj727vt:BDPKEbREba9R7u
MD5:	1C3573EC49D388226060CF7494660017
SHA1:	1AC4498CBA4457D1CB3DBC07D54C7B2F56571FD2
SHA-256:	E72D614F1E5BF8F3897F166F0CE1CAFDD6CA1C263795871034AA80440AB690A9
SHA-512:	39C7FFC90E08BBE3A7E50BFCCB380C6550DF452107B2EDF237F9EC2E1A2146F34F52FA4515351273BC8A41D6991F8B24BB2F7177314FDA5763BE06FA10B415E8
Malicious:	false
Reputation:	low
Preview:	PK.........q.J................patchfiles/PK........Mq;K................patchfiles/etc/PK.........q.J................patchfiles/etc/crontab/PK........)q.J..K.%...%.......patchfiles/etc/crontab/root/15 * * * /etc/scripts/ntpdate.sh.PK........P\uJ................patchfiles/etc/data_accessPK.........>=K................patchfiles/etc/default/PK........f<3Kt...G...t...(...patchfiles/etc/default/accessHelper.json..!.. ....1~&..fO...~Cvf.-...n..7.r..&..T...tU.D..x.j.....[:....r...s_>PK.........>=K.a..14.........patchfiles/etc/default/config_default.s3db...T...$9..RC)%...hbH.K.ech..B.Z..H......z..V..{......{.w_..\|.74lI...K......?...y..&....DI.!..8t+Q..wN?.!.Ef....>d......(w.=.G......$.N...Sx...MB..^......n_J.d...2...v...KV..S.........i.q0..j..6.%noWW...=.f)......#..$...!.1..$.[.>3.(.,..M..^.........3..sn..xn......S$..%..m..)..,.7J.\|.X,%.%gt"....;.Jeg.....[-..)..Wv-c..^.+..'..l"..%..fD....a6.xj.....eQ1...D&.v!.)3.a.....9%.O.n.x.$..V3..\|.T.gL0...'ywf)...rn&........m.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\crontab\root Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	37
Entropy (8bit):	3.858800164249569
Encrypted:	false
SSDEEP:	3:HQFPF/w2URvr4Auv:6CBRvr4Auv
MD5:	DAA087CC6BF5DA2118A1F6FF9FFCAC91
SHA1:	71D3DE81EC1751CD9D042066AA35F1701753A7F0
SHA-256:	028CD79911144DA67B81D5F8DCE64C5E960E207E6A06D4E4B13E05D378420F8A
SHA-512:	9CC2B9C68EDA45433F14ECCC59E7781458147064901FC6883E33A0D5A5620408742E17B494261CA863E97CBB5CAA5D85080ADFD7A657177485864EE5F73974AD
Malicious:	false
Reputation:	low
Preview:	/15 * * * /etc/scripts/ntpdate.sh.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\default\accessHelper.json Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.168516940483497
Encrypted:	false
SSDEEP:	3:YERmRXmaCirJ3A3sLxmaCirJ2INKVgwCKCn:YEM0aCmZL0aCmYPrCKCn
MD5:	471F2250EB48633B9E9EC07BDBCA3B98
SHA1:	D6469CD09897D4D3A18215619675452662728CC7
SHA-256:	8E1F68F78B6A1240E97A9FC5CE3C62D1A2930F7CCD4C2811EEC55348AF570B35
SHA-512:	6A9ABE3EBC5048FCA803CC56B9B930BD0E479A10E7E2D06C6C6011E09694B0A3AA501CD791EC754EFB0E32E41DF33666574191CFDFD2C1D1EB3FCA023D756B2A
Malicious:	false
Reputation:	low
Preview:	{"accessControl":{"enabled":"0","users":[]},"remoteControl":{"enabled":"0","users":[]},"slaveMode":{"enabled":"0"}}.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\default\config_default.s3db Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	SQLite 3.x database, last written using SQLite version 3015002
Category:	dropped
Size (bytes):	56320
Entropy (8bit):	5.405214449328123
Encrypted:	false
SSDEEP:	768:+D1vlLc+pLqFDIpAZLfG4fQ6Yp8Z+HUmQaBmel:+BlLbOFspAZLfBYn0+vnl
MD5:	9347C01E0F4A9B29484E4012AC676897
SHA1:	223A54D551E828E3C0ECCEEA4B55CE687999CC14
SHA-256:	E8515C6EAE200F591B5F755B9DF902079F82067660FF473A0D47445AF319469D
SHA-512:	2D8CA699050CF7EDAAEE144C274450B87D01A64399C52647BDA89CD6AB68B9F1FEFA1A06603112CA55E87410025C2ADB9497D9E5057061548E88C888519916C3
Malicious:	false
Preview:	SQLite format 3......@ ..F....7..............................................................F....Z....................................................................................................................................................................................................................................................P...++.Ytablesqlite_sequencesqlite_sequence.CREATE TABLE sqlite_sequence(name,seq).S........tabletimertimer.CREATE TABLE [timer] (. [id] INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,. [name] text NULL,. [description] text NULL,. [start] text NULL,. [action] text NULL,. [mo] text NULL,. [tu] text NULL,. [we] text NULL,. [th] text NULL,. [fr] text NULL,. [sa] text NULL,. [su] text NULL,. [actor] text NULL,. [active] text NULL,. [command] text NULL., [actor_type] text NOT NULL DEFAULT 2, [actor_analogValue] text, matrixID TEXT, matrixAction TEXT, flowControlID TEXT, timerType TEXT NOT NULL DEFAULT 0, sunInfo.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\default\daemons Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	128
Entropy (8bit):	3.9347392422078142
Encrypted:	false
SSDEEP:	3:CMviMXsIQvRJYIKbNXRMcqt6XlqBtQvXgXMN27vIK7Xo4QVBERfBAIQvELgKd73b:piM8IQvzwJRMt61q4vU7vIKTo4Qr4fBT
MD5:	5063C29EFAE4AF6C67B6544972C10831
SHA1:	7760BDFB54580B49A0F9371E3951B843C6E57037
SHA-256:	6329F108469D63C976F1FC99C0B23A95638413BFE04310FD6AA53C33A898CFAE
SHA-512:	895336E0782EBCF5BEE8D78C9FF65E41F079916395CF98F18ADD041C30D341161FA7D4C6120FD29357618857532B118C5DB999FE0E42C3241A2C6083FBF3CC18
Malicious:	false
Preview:	sensor_shm_demon.i2c_demon.timer_demon.history_demon.rc_read_demon.rc_write_demon.monitoring_demon.update_demon.analogctl_demon.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\default\dependent Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.773557262275185
Encrypted:	false
SSDEEP:	3:5xL2IQ6n:vKB6
MD5:	5699C3BBB2C27F1123B2C48CAB9FD7D6
SHA1:	B8D461347D5DD70CB0581A5C21960EF9099FCEAD
SHA-256:	A69326345C3C58E0FE00DB14682ECEF30FCFD3A10763D6C04BCCAD01A9D89F95
SHA-512:	6EBA6F87AC596A84DDAB53AECF5529BEBFD72DBF169E160393478A2DE13AA46497275EF162D6E3EF3EF180811D65FE885D6E17AE5D7F826EBD854ECCA914766D
Malicious:	false
Preview:	matrix_demon 5.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\default\device Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.2359263506290326
Encrypted:	false
SSDEEP:	3:sX6n:F
MD5:	87A0308ACC5106AA0B707E5062EFEC57
SHA1:	4E9FC12BEE7772597C5EC1A41A112BBC6D73F7EE
SHA-256:	CACE767F096157DF4C06797AC7D572A0F2DCD7EF7BF3001DFBCDCA85658D647F
SHA-512:	3631AC15BF13D672D84645FCD0BEA2CC6C1AD5F001326B8011F330460BDFBD316B9A2C2299BED85A5E710B10E4967B5682FCC3EDCB63E752D1E0529A8EE0FD26
Malicious:	false
Preview:	ALL3505

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\default\sqlite.cnf Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	14
Entropy (8bit):	3.3787834934861767
Encrypted:	false
SSDEEP:	3:pEURKe:pVKe
MD5:	01FD8BD297D99AC87E52D57AFC0A9B24
SHA1:	EFA85AB74E173AFCC532C0DA462F7363BD8306C4
SHA-256:	B55D279AFCE626E557C854498BA6A12C40675D6ED73C59A9A713C9D918D36F01
SHA-512:	DB132312B9DA431567C5F06E4FFFB1C85610CD8D6A8C24391A800ACFE7534CE8572ED10EFF1BE40249B4B9323290B4FE64F7EEE636C06EF960D948DE5DBF86DD
Malicious:	false
Preview:	.separator ';'

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\default\version Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:RLU3X:5Un
MD5:	951F5DBFD3B0B2F7BDCB669CDD60B8F6
SHA1:	AC43518A75C6340E66452E4AC208A551A4F5F5EB
SHA-256:	381495CF80973CD0AD8A52481D2B4CC2364077D8504A03316E1B7E8D300A03CD
SHA-512:	272FD35F6054141F617406645017919707AD276BC1795C11D44D85AEC42F701001E11CCE65C00C69CD221702E3CD68AB878D59D2225497B0F777523332E7846C
Malicious:	false
Preview:	335;1082

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\group Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	224
Entropy (8bit):	4.251232014207013
Encrypted:	false
SSDEEP:	6:fzMmmd4MWo7oQ5P2vujzYTQv4XfDv1Lly+YQtUV/Hn:fz2d4XowmjzYTQvKL1LlyVQtUV/n
MD5:	DA358ADBF58E54ADBF01A2CF21FED955
SHA1:	05B8EAB2CCA239F208D41D2DF3A8BBDFEA8FA6F0
SHA-256:	AEB15A0A594B49B5422A2A7ADC938CFE22F9959B154C380D80773399B2E56D25
SHA-512:	83ADFF94683F3EFDB25BB736A8107B48A424E4328F5750DCF2CEDAA0501F1FA31732C59687D338F09667C2F06C89CE0484D2F3B4FD5700AD945D8934D6601625
Malicious:	false
Preview:	root:x:0:.daemon:x:1:.bin:x:2:.sys:x:3:.adm:x:4:.tty:x:5:.disk:x:6:.wheel:x:10:root.audio:x:29:.utmp:x:43:.staff:x:50:.haldaemon:x:68:.dbus:x:81:.netdev:x:82:.ftp:x:83.nobody:x:99:.nogroup:x:99:.users:x:100:.default:x:1000:.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\init.d\S00_firststart Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1782
Entropy (8bit):	5.326815325531047
Encrypted:	false
SSDEEP:	48:ZDHjt3ishi4kUDwuSP02/ENEJegRkghIlL3EPEq:xNi4JeP02/ENEJNQ3EPEq
MD5:	74ADB5E6F977C9D0E661F71DA2F88FA1
SHA1:	84C1DEBDFE644390A464428C70BBD0FFB8226417
SHA-256:	DB9C4A57019548401ACF8943E722B71A369B7F0DEFDF2D4E5C2006999491838A
SHA-512:	46CABBF3B47498F52D22D90DE8EB7985742AC4F702E621CBC3ADAB99013A03CA97B366C71325E0F755184DCEFD0BB21D1244446DD4D6A3CFE9D635BA705D6DF6
Malicious:	false
Preview:	#!/bin/sh.setTestChip() {../usr/bin/sqlite3 /etc/default/config_default.s3db "UPDATE external SET i2c_chip_id = '$chipid', i2c_primary_chip_number = '$primarychipnumber', i2c_primary_chip_address = '$primarychipaddress' WHERE id ='1';"..result=$?..echo "RES: $result".}..testTemperatureChip() {..echo -e "\033[01;33m[S00] -- FIRST START -> Check chip id \033[01;0m" #> /dev/console..count=3..result=1..chip=$(/usr/sbin/allnet/chip_type_test)..chipid=$(echo $chip \| cut -d';' -f1)..primarychipnumber=$(echo $chip \| cut -d';' -f2)..primarychipaddress=$(echo $chip \| cut -d';' -f3)...echo "Try inject config_default.s3db with found chip information: $chip"..while [ $result -ne 0 ]..do...setTestChip...compare=$(/usr/bin/sqlite3 -init /etc/default/sqlite.cnf /etc/default/config_default.s3db "SELECT i2c_chip_id, i2c_primary_chip_number, i2c_primary_chip_address FROM external WHERE id = '1';" 2> /dev/nul )...if [ $compare == $chip ]; then....echo -e "\033[01;32mInject config_default.s3db with found c

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\init.d\S10_init Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3488
Entropy (8bit):	5.394353925604677
Encrypted:	false
SSDEEP:	48:93Ba209MBaYBCFEDiWgnz9xBBvp1GJuKdT2:K20WB5Gz9xBlp122
MD5:	8CF9630E8AAB90AAE563B10FE536CC18
SHA1:	0010DF25AF313F62EDBF408B03C832B66F03D1DA
SHA-256:	A12B054989895A65BE40F0636AB102063724BB792EAF01197246EC8B7A610C85
SHA-512:	3CA6484E26B58BF6040223565A7A8A62678FB8B54C62144FADD8B7CDAFBA89151054AD52C1716F22414E03A88E6E4DD10DD0998E89FE63364C109D70712D5F3C
Malicious:	false
Preview:	#!/bin/sh.checkDirectories() {..HWID=`cat /etc/default/device`..printf "\e[1;33m%-50s\e[0m%s" "Starting Checking directories"..[ ! -d /tmp/wwwreports ] && mkdir -m777 /tmp/wwwreports..[ ! -d /tmp/wwwxml ] && mkdir -m777 /tmp/wwwxml..[ ! -d /tmp/svg ] && mkdir -m777 /tmp/svg..[ ! -d /var/run/lighttpd ] && mkdir -m777 /var/run/lighttpd..# Directorys for Version V3..[ ! -d /etc/allnetenv/log ] && mkdir -m775 /etc/allnetenv/log..[ ! -d /etc/allnetenv/log/day-0 ] && mkdir -m775 /etc/allnetenv/log/day-0..[ ! -d /etc/allnetenv/log/day-1 ] && mkdir -m775 /etc/allnetenv/log/day-1..[ ! -d /etc/allnetenv/log/day-2 ] && mkdir -m775 /etc/allnetenv/log/day-2..[ ! -d /etc/allnetenv/outputs ] && mkdir -m775 /etc/allnetenv/outputs..[ ! -d /etc/allnetenv/counter ] && mkdir -m775 /etc/allnetenv/counter..[ ! -h /usr/bin/php ] && ln -s /usr/bin/call.sh /usr/bin/php..[ ! -f /etc/allnetenv/accessHelper.json ] && cp /etc/default/accessHelper.json /etc/allnetenv/..if [ -f /etc/default/extend.json ];

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\init.d\S15_drivers Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2554
Entropy (8bit):	4.994948767256248
Encrypted:	false
SSDEEP:	48:/sNF/MfN8zNspPBykXHGlN83TmGeQT2NuCqvgF8elavcYvHvOsOJpLH:GJMfN8zNsJB1XN/2BavcYvHvtOJpr
MD5:	33DEA4DBD30B15C36CA72F740286ED5F
SHA1:	274CC3C9A4D4339C63FEC145347D697FE74B8B4E
SHA-256:	E1A495CFC7E6C2C3C5023C8DE886ECEBA97D519492ECF5F68EA7AF485C0C8F2F
SHA-512:	EA92D76BDF68B75A136969CA765D9347AA045D648E3644A0B4DD3218E64F11D84A52B2EC0FEC33FB673FDBFB77E882E9DF02A76F916F8CCE23FD90FCA0A6AF23
Malicious:	false
Preview:	#!/bin/sh.#modprobe usbserial.modprobe ftdi_sio.#.# udev.This is a minimal non-LSB version of a UDEV startup script. It.#.was derived by stripping down the udev-058 LSB version for use.#.with buildroot on embedded hardware using Linux 2.6.12+ kernels..#.#.You may need to customize this for your system's resource limits.#.(including startup time!) and administration. For example, if.#.your early userspace has a custom initramfs or initrd you might.#.need /dev much earlier; or without hotpluggable busses (like USB,.#.PCMCIA, MMC/SD, and so on) your /dev might be static after boot..#.#.This script assumes your system boots right into the eventual root.#.filesystem, and that init runs this udev script before any programs.#.needing more device nodes than the bare-bones set -- /dev/console,.#./dev/zero, /dev/null -- that's needed to boot and run this script..#..# old kernels don't use udev.case $(uname -r) in. 2.6\|2.7).;;. *)..exit 0;;.esac..# Check for missing binaries.UDEV_BIN=/s

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\init.d\S20_network Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1147
Entropy (8bit):	5.3348840809902685
Encrypted:	false
SSDEEP:	24:nKiRKF5mK3KNtPrD3jwmunAD/kj/N/Y/vvFX:K5f6NVTw3ADcj1w3vFX
MD5:	D20BADC24EAF3A25D400748B2E362458
SHA1:	6C199E8CEAC519FD56F219D843B03B3C32B1289A
SHA-256:	6FCD9C27D789493AB6E7A918B5886E610D522F8FF1B9D2CF9581ED47C306C58C
SHA-512:	C6438BA18287C6D2C7A5FB7E875565CFA1CEC14F1F3E1BFDDB48364B0752CEFDD07510BDEA7C1916465F26378DB4997C7634624E476F4B6765523C8CE337E0AD
Malicious:	false
Preview:	#!/bin/sh.HOSTNAME=`/usr/sbin/allnet/sqldb_read /sys/network/hostname`.LOCALDOMAIN=`/usr/sbin/allnet/sqldb_read /sys/network/localdomain`.IP=`/usr/sbin/allnet/sqldb_read /sys/network/lan/ipaddress`.WLAN_MODE=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/mode`..echo -e "\033[01;33m[S20] -- Setting hostname -> \033[00;32m$HOSTNAME\033[00;0m" > /dev/console.echo "$IP.$HOSTNAME.$LOCALDOMAIN.$HOSTNAME" > /etc/hosts.echo "127.0.0.1.localhost.$LOCALDOMAIN.localhost" >> /etc/hosts./bin/hostname $HOSTNAME.$LOCALDOMAIN..if [ ${WLAN_MODE} = "ap" ] ;then..#insmod /root/rt3070ap.ko..modprobe rt2860v2_ap.fi.if [ ${WLAN_MODE} = "sta" ] ;then..#insmod /root/rt3070sta.ko..modprobe rt2860v2_sta.fi.if [ ${WLAN_MODE} = "disabled" ] ;then..#insmod /root/rt3070sta.ko..modprobe rt2860v2_sta.fi.#fi..# Setup bridge.brctl addbr br0 .> /dev/console.brctl stp br0 off.> /dev/console.brctl setfd br0 0.> /dev/console..# Start up LAN interface.ifconfig br0 0.0.0.0 up...> /dev/console./etc/scripts/lan.sh start

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\init.d\S29ntp Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	571
Entropy (8bit):	4.903480886882991
Encrypted:	false
SSDEEP:	12:aNbcADBqAQrzvRaI2ygR5ejT4AJOxWUMkGKqdURuGKXpy1:aNIAMJxsRUjTNUMVujGpY
MD5:	EA3360C4196BBD5D1F7D92E0082CAC8B
SHA1:	D4A3ECF8E7FCAE320D88EC2A1063DB4A118F88DE
SHA-256:	13E2C2B1B3A1AC6F4AC5DC4CEA5A534443563EBA54A0C3BEED422FB05B6CD21C
SHA-512:	FF55B550913B0A92D674A4E363163D2F8FC719B01BDFD44A29895160936DF97DEB0CE26BC3A2E2962E294A6170A0F284993237935663EBFD60549C7C69A3BB3F
Malicious:	false
Preview:	#! /bin/sh.ENABLE=`/etc/scripts/get /sys/network/ntpd/enabled`.scriptid() {..printf "\n\n\e[42m------------------------------- [S29] -------------------------------\e[0m\n\n".}.case "$1" in. start)..scriptid..if [ ${ENABLE} = "1" ] ; then.. printf "\e[1:33mget/set time\e[0m\n".. /etc/scripts/ntpdate.sh..else. . printf "\e[1:33mtimeserver is disabled!\e[0m\n"..fi..;;. stop)..printf "\e[1:33mget/set time nothing to stop\e[0m\n". ;;. restart\|reload). $0 start. ;;. *). echo "Usage: $0 {start\|stop\|restart\|reload}" >&2. exit 1. ;;.esac..exit 0.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\init.d\S30_devicefirst Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	409
Entropy (8bit):	5.108539216491394
Encrypted:	false
SSDEEP:	12:1mNPUXvk9VL1J6beNF4FZeNFTQV6beNuB64FZ6MAi6o:1mKXv0JdYuMH4ytLo
MD5:	A0B9483A71411F19418782BACB546F84
SHA1:	3CE912357AFAB851D7DC4327B47731165B3F8538
SHA-256:	39F000B70A376D9F11FEEA85967BF1A8B2E3FD654D11D3A35DA3D5F423514F1E
SHA-512:	45009670AF98481031ADEBF0913F2C8A528D83D51C9236A42BAC1AE5116158296BEF0D1CA2FFED337EB3A42E4727FE1F827393A9E27AC67359D1EA2C12F3DB6A
Malicious:	false
Preview:	#!/bin/sh.HWID=`/usr/sbin/allnet/sqldb_read /sys/hardware/numeric_model`.echo -e -n "\033[01;33m[S30] -- ".if [ ${HWID} = "3651" ] ;then../usr/sbin/allnet/rgb_demon > /dev/console &..sleep 2../usr/sbin/allnet/rgb_out 0 64 0 0 0 0 64 0 0 0.fi.if [ ${HWID} = "5000" ] ;then../usr/sbin/allnet/lcd_demon > /dev/console &..sleep 2.fi.echo -e "\033[01;0m".if [ -f "/tmp/dhcplease" ] ; then..rm -rf /tmp/dhcplease.fi

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\init.d\S50_systools Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1942
Entropy (8bit):	5.320679733921808
Encrypted:	false
SSDEEP:	24:1mKXv1mK8ACmK+AqmKDZbKDH8Ks4OjY4E/5JkO+sj4YCnA/xi4oCn0X/Dl/LQhO:1ndngn+3nDQDleUPkP6CAxmC0vhTQM
MD5:	E8781DB880550F419F4846AE7A6EAFB1
SHA1:	3684E30E8A50041927CE8133BB3D87AF0493A237
SHA-256:	115454FDDDE3D8152E0D1366F7BC7C4AB157F4E0AF90A1C58F66A2BDDA8DC51A
SHA-512:	6989DC25751A98ADFF5F9FA2D54EB310F30666E6196DB65AB853520612775BBBD1D202C35B72D9812D632EEF32C10DFDF16776E4FDB8A7FF2D542CF4331131D8
Malicious:	false
Preview:	#!/bin/sh.HWID=`/usr/sbin/allnet/sqldb_read /sys/hardware/numeric_model`.FTPENABLED=`/usr/sbin/allnet/sqldb_read /sys/network/ftp/enabled`.SSHENABLED=`/usr/sbin/allnet/sqldb_read /sys/network/sshd/enabled`.SYSLOG_ENABLED=`/usr/sbin/allnet/sqldb_read /sys/logging/syslog_enabled`.SYSLOG_SERVER=`/usr/sbin/allnet/sqldb_read /sys/logging/syslog_server`.INIT=`/usr/sbin/allnet/sqldb_read /device/language`.if [ $INIT = "INIT" ] ; then. SSHENABLED=1.fi.echo -e -n "\033[01;33m[S50] -- Start AVAHI -> \033[01;0m".if [ ${HWID} = "5000" ] ;then../usr/sbin/allnet/lcd_write 0 "Start AVAHI".fi./etc/scripts/avahi.sh start > /dev/console.echo -e "\033[00;32mdone.\033[00;0m" > /dev/console.# SYSLOG.echo -e -n "\033[01;33m[S50] -- Checking syslog -> \033[01;0m".if [ ${SYSLOG_ENABLED} = "1" ] ; then..echo -e "\033[00;32menabled - Logging to: $SYSLOG_SERVER\033[00;0m" > /dev/console../sbin/syslogd -R $SYSLOG_SERVER.else..echo -e "\033[00;32mdisabled - NOTHING TO DO!\033[00;0m" >

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\init.d\S70daemons Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2804
Entropy (8bit):	5.274702844136209
Encrypted:	false
SSDEEP:	24:aBkrUmEmpB57Nso9iNE4D2awoJsMD8DSU+wmzmpB57NLoJr7XDN7goTPD8DySJh0:Gkr3zsteoU+70LQWcxSJhzN1GNeWj/
MD5:	6C4327C42A1C71BCB8DB960B1043FD40
SHA1:	8AD62B62A5BE0CDBBDC30A8E379AC840E4688299
SHA-256:	2548DF5284B3013074247404F0CA7D5A859B44CB22CE31FA92691DEC43A103A2
SHA-512:	F956D1EED8478DA1D1CB3E3188185116A6576BB88C83932FE06BC1E202848A954BD639F3088AEBCACF3B7033B93EB1D1A9E19736124AE74C286762DB416F1CAB
Malicious:	false
Preview:	#! /bin/sh.daemons() {..cat /etc/default/daemons \| while read action; do...PARAM=""...CHECK=$(echo "$action" \| wc -w)...if [ ${CHECK} -gt 1 ]; then....PARAM=$( echo "$action" \|cut -d\ -f2 )...fi...NAME=$( echo "$action" \|cut -d\ -f0 )...DAEMON=/usr/sbin/allnet/$NAME...if [ $1 -eq 1 ] ;then....test -x $DAEMON....if [ $? -eq 1 ] ;then.....printf "\e[1;33m%-50s\e[0m\e[41m%s\e[0m\n" "Starting $NAME" "NO EXECUTABLE FOUND".....continue....fi....printf "\e[1;33m%-50s\e[0m%s" "Starting $NAME $PARAM"....start-stop-daemon -S -q -b -m -p /var/run/$NAME$PARAM.pid --exec $DAEMON $PARAM >/dev/null....[ $? = 0 ] && printf "\e[42m OK \e[0m\n" \|\| printf "\e[41mFAIL\e[0m\n"...fi;...if [ $1 -eq 0 ] ;then....test -f /var/run/$NAME$PARAM.pid....if [ $? -eq 1 ] ;then.....printf "\e[1;33m%-50s\e[0m\e[41m%s\e[0m\n" "Stopping $NAME $PARAM" "NO PID-FILE FOUND".....continue....fi....printf "\e[1;33m%-50s\e[0m%s" "Stopping $NAME $PARAM"....start-stop-daemon -K -q -p /var/run/$NAME$PARAM.pid >/dev/null....[ $? =

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\init.d\S73commands Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.276052251638356
Encrypted:	false
SSDEEP:	3:TFKxKvM2/RdTVgF45kVAPKdTVgbu:JkKFPTVgQPgTVgbu
MD5:	EF4969C354BC8CA9C78929DE0652EE81
SHA1:	35E0A38C7CA223338C6903403799CAF30D9AFD84
SHA-256:	7D9163D0F8D3E1361991B1330AB51AC3EE2B85A7E65CC111B7FFAFEAF02587AC
SHA-512:	8849958507E146B774AFE22F6EA022A3AB7C177CADDBFE82A9910D7D46118B6AF31D03FA7B59C68470BB0B9AC967AE71B3110116F6734D3DFE9FF8A7A924BC05
Malicious:	false
Preview:	#! /bin/sh.if [ -f /etc/default/commands ] ; then. ash /etc/default/commands.fi.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\init.d\rcS Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	408
Entropy (8bit):	4.574016736974536
Encrypted:	false
SSDEEP:	12:3lpzVmZiVzOdmAiz6ty/DuAUNsPXjfM4MxXqN:3TAB5iz6gRYsPjfexaN
MD5:	76F02A748149F1AA945AA418EA65B2BC
SHA1:	754718A94931AF7EF00EB485B947B6BEA5E5496D
SHA-256:	DC1615DF9F2012B20B81FFAD8E07E16293039BA7FD897854CA3646D6CFEA0C0F
SHA-512:	04D4E5716A8B4D5AAFCB8E5F11A3592A33C13658992E9223C52EB40663C6DBF4F007F72F7BD013E4C2F5B4FFB09EF0255D39802AF80577B333D8683FAE95BCC6
Malicious:	false
Preview:	#!/bin/sh...# Start all init scripts in /etc/init.d.# executing them in numerical order..#.for i in /etc/init.d/S??* ;do.. # Ignore dangling symlinks (if any).. [ ! -f "$i" ] && continue.. case "$i" in...sh).. # Source shell script for speed... (...trap - INT QUIT TSTP...set start.... $i.. ).. ;;..).. # No sh extension, so fork subprocess... $i start.. ;;. esac.done..

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\inittab Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1259
Entropy (8bit):	4.988079865434424
Encrypted:	false
SSDEEP:	24:v3AX8eCzRVMB43S58MmktqGDzLSqn8uEMuaj3:AjCzRVMB43SEYF83M7
MD5:	3958B17DC283F7FFACABE410F549515C
SHA1:	98F0CE2EE2639E1A4102289D14FC495368F2B369
SHA-256:	C2B38E16BEA425CA3D1DCFA31CB82DF1CAEBD4EE2C08BE78C36034CC0374C17D
SHA-512:	55AE626440F6591CA18E86469BCA29CE9E8F3D6A03AEFD9D6765F7FA58F781AEAA83610F410F7C83E190CEE685A09053031CC45DB3CB96DE550E2112E95ED40F
Malicious:	false
Preview:	# /etc/inittab.#.# Copyright (C) 2001 Erik Andersen <andersen@codepoet.org>.#.# Note: BusyBox init doesn't support runlevels. The runlevels field is.# completely ignored by BusyBox init. If you want runlevels, use.# sysvinit..#.# Format for each entry: <id>:<runlevels>:<action>:<process>.#.# id == tty to run on, or empty for /dev/console.# runlevels == ignored.# action == one of sysinit, respawn, askfirst, wait, and once.# process == program to run..# Startup the system.null::sysinit:/bin/mount -t proc proc /proc.null::sysinit:/bin/mount -o remount,rw / # REMOUNT_ROOTFS_RW.null::sysinit:/bin/mkdir -p /dev/pts.null::sysinit:/bin/mkdir -p /dev/shm.null::sysinit:/bin/mount -a.null::sysinit:/bin/hostname -F /etc/hostname.# now run any rc scripts.::sysinit:/etc/init.d/rcS.::respawn:/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf..# Put a getty on the serial port.ttyS1::respawn:/sbin/getty -L ttyS1 57600 vt100 # GENERIC_SERIAL.ttyS1::respawn:/sbin/getty -L ttyS1 57600 vt100

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\issue Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	73
Entropy (8bit):	4.74598770386279
Encrypted:	false
SSDEEP:	3:sX/LNb2kQ2uQoYrGL9tklQ3v:AZbBGRtkWv
MD5:	28A522CD3A52621058444F1454D47C11
SHA1:	80CD3CCB9C952846C7E7B593DAD26B9EC830543F
SHA-256:	02F64171F8C380E4ECACCE111EB9398CC24E58146EB30DD20F729FD37CA8017D
SHA-512:	174975F1D36ABD0C9AF0DE804497E10F4BBEF47FA842CA612B99712D1C17E7F7B425316B72FC665DD2253D33501116A405D4F7E557DCFC0C74CB74F6B7C7B74C
Malicious:	false
Preview:	ALL3500 (C) 2011-2017 Allnet GmbH Computersysteme..Devicename: ALL3505...

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\lighttpd\certs\allnet.pem Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3225
Entropy (8bit):	5.990990271070895
Encrypted:	false
SSDEEP:	96:LrrBfB9xofCTFGQMpJnxacLppXAAFkBC4F7Zb7:HrBJ98sFEGcLp/FkBf7l7
MD5:	A08E4CCF884F1A78201108504977D894
SHA1:	2262478F5E70D36B327D7707EA0256E5750DF093
SHA-256:	5FE0186472B8BB57B94DA879E4402089013583B4DAFE65B2165FBF2EC2A2D041
SHA-512:	3E287120CBFE55E23455A1F24FFB6E030918C1A8C3DC6689AFF94904F88F0C631569945694C2B8DD0ED835EA69FFFE4C009AFB3A917C398E899505DE8714B103
Malicious:	false
Preview:	-----BEGIN PRIVATE KEY-----.MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCz+5FaCK1EPmlx.dzVMrMXVxD83fzZT+O8sOKhN6UlPokcwTT1PwTEHBCGGkD0kI+pCQ8iGewhCPByy.cC31LgJF+Q7tMgWDLRHpEbj+jLTicfMTeo6Mel+Y5/o7aYAz0k1V0ZyfHWW+aZNi.UBqX9FCdk8rZtLcPF07pGVae//N8jZ8A8hZPkMvaSssKzkVlp7AjlwV2DcltpFib.CgVZu1pO2S6IFp61S/tqCswxHgSPvdJwPCTj/OJnofbOZkv0Dyo1maF27gI91+np.rIynecTqdYGHE26wIkEV7HIzx6Xcf2ei6fmx4Advx7b/dMt4naVS0qOM5sr74UO2.JZndmCXBAgMBAAECggEAcj4Jigud54ZyKaqQM2YrgT+7HL/rvStyrTAdbK7acOjB.pSAx/bDULO7rVN2zYYBGjt81pl7r5BcB5CWellUo7j9jwR2SMCxohPdR5Iltu5q2.vzN4ziRTD9yXkiSqUrp3ijSt5LWlQlMDUVElQDS9Avivtralx7d0yDLkL7KpW/H7.YA3h94xisoGgJ3RuBsyPrO+JROH6PAwSKxE2fg1hcMnqcPDgOZvWQqDvF3nE+OK2.ManA93auZnmznSbGYjcQALSR9x96Hvw8NFtiKSTlJB9bxh52ziLa1Fe3ecx8L5E4.3iOhypx2cp/jiDKy9aItPO9XgSULw2i40ZumvFTMAQKBgQDqZIMtW2sLBPs++RO/.XlRrmblO+cOWqnc1atGoKcvRng1ypN5UpQudfkH2bRybz1R92q/jAWlK7KBRRkCI.GvUF27cNCiLemeudXnYZMG9kxYH4H8rYc4kKeygBHtQIYKyBxkeDWeCSHtjLiiwI.LreqR8AwcW6R4VuTyEz34gqdoQKBgQDEkwWuxWyXImsVC1sKlyP3F/d1uwjRSg

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\lighttpd\conf.d\access_log.conf Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	723
Entropy (8bit):	4.354072358710162
Encrypted:	false
SSDEEP:	12:2fSMabYDzV85EpNVUEQSB8f38Pq0uKsuwKws1IBNFI8yIn:7M7VUEQC8gq0uSParFI8yI
MD5:	CE82C4347F72EA482CCA4039B0DFE2EC
SHA1:	7F32320877732C59371CC455A32C6DF69ACD530E
SHA-256:	EFEB1261C691FEE0374AE5B3FB7FFA6DD8782051A6227276B62D98F9732261AD
SHA-512:	977511BF674CFCF775BA11B73175C22DE7B598C55D4281DEA6720C9FB3E778BC1942709724EAF266B823D6629C2312A06B7B0E5D2618A078076328F8590C90F7
Malicious:	false
Preview:	#######################################################################.##.## Corresponding documentation:.##.## http://www.lighttpd.net/documentation/access.html.##.server.modules += ( "mod_accesslog" )..##.## Default access log..##.accesslog.filename = log_root + "/lighttpd-access.log"..##.## The default format produces CLF compatible output..## For available parameters see access.txt .##.#accesslog.format = "%h %l %u %t \"%r\" %b %>s \"%{User-Agent}i\" \"%{Referer}i\""..##.## If you want to log to syslog you have to unset the .## accesslog.use-syslog setting and uncomment the next line..##.#accesslog.use-syslog = "enable"..#.#######################################################################.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\lighttpd\conf.d\debug.conf Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	967
Entropy (8bit):	4.166737422314292
Encrypted:	false
SSDEEP:	24:X1IK7iA8reJV1hhUZJuoIOuZWlJKLub5LKc9ud:l1VKI7WJKW5G3d
MD5:	3F6C5A7003594C6319A3F42310AF9B98
SHA1:	EA6790750024043EF97192F5B1554E435D8AB410
SHA-256:	D9C5C36DCC5C10BC133054EE0EC0BBAF5F7348A50CB1173E3389DEA861B32087
SHA-512:	2E6D778D5503A9BB0AF0D3D2FF40079080D066204EA01FD020438410135E5B7A649E8AA3CC8361CE6FB9AB16B8056A222952781A07F3B143E1EF9A8F38AA9051
Malicious:	false
Preview:	#######################################################################.##.## Debug options.## ---------------.##.## Enable those options for debugging the behavior.##.## The settings can be set per location/vhost..## ..## .## log-request-handling allows you to track the request.## handing inside lighttpd. .##.#debug.log-request-handling = "enable"..## .## log all request headers. .##.#debug.log-request-header = "enable"..## .## similar to log-request-header..## but only logs if we encountered an error..## (return codes 400 and 5xx).##.#debug.log-request-header-on-error = "enable"..## .## log the header we send out to the client..##.#debug.log-response-header = "enable"..## .## log if a file wasnt found in the error log..##.#debug.log-file-not-found = "enable"..## .## debug conditionals handling.##.#debug.log-condition-handling = "enable"..#.#######################################################################...

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\lighttpd\conf.d\dirlisting.conf Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1382
Entropy (8bit):	4.56392104712804
Encrypted:	false
SSDEEP:	24:C4K0G6eR37Q1DuKyPFXCE0Gt8iTmERQnx61zkYAx6ahwcc9:RKPM1DZbE1nTmERmx61zkYAx6ahRu
MD5:	854231B547C36AFD9680E17CDA7BF35F
SHA1:	CECAD8920A01D8924EABA4559D31EDFDA3F7F101
SHA-256:	D6FA941B014AEB4CF21386AE03CF421D3B595AA168DFD0428F97BAE9588941C7
SHA-512:	2CDD34EA2A5C4A6EE4060F2B5AD61DCDF771EDE909881A4A0E56F31BB62DE0CF06706FBB0C23DDA239AB4774E05AC450445701BFCCA8C365DA9C365C3D57B986
Malicious:	false
Preview:	#######################################################################.##.## Dirlisting Module .## ------------------- .##.## See http://www.lighttpd.net/documentation/dirlisting.html.##..##.## Enabled Directory listing.##.dir-listing.activate = "disable"..##.## Hide dot files from the listing?.## By default they are listed..##.dir-listing.hide-dotfiles = "disable" ..##.## list of regular expressions. Files that match any of the specified.## regular expressions will be excluded from directory listings..##.dir-listing.exclude = ( "~$" )..##.## set a encoding for the generated directory listing.##.## If you file-system is not using ASCII you have to set the encoding of.## the filenames as they are put into the HTML listing AS IS (with XML.## encoding).##.dir-listing.encoding = "UTF-8"..##.## Specify the url to an optional CSS file. .##.#dir-listing.external-css = "/dirindex.css"..##.## Include HEADER.txt files above the directory listing. .## You can disable showing the HEA

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\lighttpd\conf.d\fastcgi.conf Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	200
Entropy (8bit):	3.495336130283416
Encrypted:	false
SSDEEP:	3:uXMiNVC7/F/nK32FCN2V7zFF2KwnvGO4NFox9dWHFYbuHE:5wGBaXR4YbUlYME
MD5:	55569978A2CE3EF0582C432AC6F1B43F
SHA1:	33AB80B79486B8D884DAB7105706940E1292FA6A
SHA-256:	3C0F8F8E0523E6895462A410A2A5136C9AAAAF0F63DBEBF45F5C5238F590C3F8
SHA-512:	A1EA9B475B62D0E509B7D4E6F3B846AB6EE12A6AF6C0D173F245A0FFA9BB6F452C26AC3103DC122E68A058BB64D7B9246B79F0AAFFA4F313823AD8DFC94AAE11
Malicious:	false
Preview:	fastcgi.server = ( ".php" => (( . "bin-path" => "/usr/bin/php-cgi",. "socket" => "/tmp/php.socket",. "max-procs" => 1. )))..

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\lighttpd\conf.d\mime.conf Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3011
Entropy (8bit):	4.02500525956968
Encrypted:	false
SSDEEP:	48:z1pc+re6WqOwQ/hiJ7aFQr+ncqoqPAwqWOXy6gZocmFZ3MDMlh+:zl4qpQ5iJ7aFQScqoqYwqWOXy3ZsU
MD5:	D6D0AD62C22DC0A73C758E6A742F1EBD
SHA1:	F75D06A2EF2DFBE686BDF1012559012D98C3D984
SHA-256:	440B99771515827E8267A56BAA794103AF4EF2B831F824025758962D500E0105
SHA-512:	0CFD3D46BC834B9F2EF0629E0A0518AF58A1D7A94D7BC2DB3AF3CAFEF686E768F4562C819FE104385B427F8939DDD241D26AC6C26B966DE2562C6BCF42D74DFA
Malicious:	false
Preview:	#######################################################################.##.## MimeType handling.## -------------------.##.## http://www.lighttpd.net/documentation/configuration.html#mimetypes.##.## Use the "Content-Type" extended attribute to obtain mime type if.## possible.##.mimetype.use-xattr = "disable"..##.## mimetype mapping.##.mimetype.assign = (. ".pdf" => "application/pdf",. ".sig" => "application/pgp-signature",. ".spl" => "application/futuresplash",. ".class" => "application/octet-stream",. ".ps" => "application/postscript",. ".torrent" => "application/x-bittorrent",. ".dvi" => "application/x-dvi",. ".gz" => "application/x-gzip",. ".pac" => "application/x-ns-proxy-autoconfig",. ".swf" => "application/x-shockwave-flash",. ".tar.gz" => "application/x-tgz",. ".tgz" => "application/x-tgz",

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\lighttpd\conf.d\remote_access.conf Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:v:v
MD5:	68B329DA9893E34099C7D8AD5CB9C940
SHA1:	ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC
SHA-256:	01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
SHA-512:	BE688838CA8686E5C90689BF2AB585CEF1137C999B48C70B92F67A5C34DC15697B5D11C982ED6D71BE1E1E7F7B4E0733884AA97C3F7A339A8ED03577CF74BE09
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\lighttpd\conf.d\remote_access.on Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	366
Entropy (8bit):	3.9359051050913303
Encrypted:	false
SSDEEP:	3:rZhFSzA3ZNRoSBHJ01qERV/WSBLDATMJHH1zbGGWHJ01HPH/FgeF/JdNF9CigiF3:rMzAjxmnRPFATM55bisHP669x0ryiR29
MD5:	2D7DE87CCFB40746BC02C50A031B82D1
SHA1:	A60E1F0DA7A0E0A29FD61CE2AC88AE4AE5DA08D6
SHA-256:	E0DCD2A3E660956364603B10507FA730F3A273279B567682A5DE204C9ADD909D
SHA-512:	7EFA93A14FD9F458637727752C86A4229EC56797AE6B2854A4273BEE758F5F1BCDD58A36DFC3AB12A118BD6E0A3985B67262D3DDF38519C6812AC73505F38E69
Malicious:	false
Preview:	$HTTP["url"] =~ "^/xml/" {..auth.backend = "htpasswd",..auth.backend.htpasswd.userfile = "/etc/remote_access",..auth.require = ( "/xml/" =>. (. "method" => "basic",. "realm" => "Username and Password Required",. "require" => "valid-user". ). ),.}

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\lighttpd\lighttpd.conf Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	C source, ASCII text
Category:	dropped
Size (bytes):	2762
Entropy (8bit):	5.031888007997016
Encrypted:	false
SSDEEP:	48:rRt77zYxi7wFDfLKfGlmyA/1uUEfCH8L8IWC3NKdjVrMFXOvp:rRt77zUiEF7LKObANuUoCHnIWHEq
MD5:	F4BC1961F72AC171EEEABD9A9E6C0932
SHA1:	BAC73FFD9721BB405E94BBD3C764B2732A26BACB
SHA-256:	EB76660CB44D3077077A14078E13A98184110EF180979F463F606F38E7806FDB
SHA-512:	8ADB6B5F3C126AD2649F7DF7A6F5CF5AF02306CDD657B95D1B095E87242DC9B888133DA2E3CE8D3A7BB9021FD454A859C20A9390BD14349E8925E51C1B6D463B
Malicious:	false
Preview:	#######################################################################.##.## /etc/lighttpd/lighttpd.conf.##.## Created: 2015-08-05 Allnet/ir.## LastChange: 2016-04-18 Allnet/ir.##.#######################################################################..server.modules = (.."mod_access",.."mod_alias",.."mod_compress",. ."mod_redirect",.."mod_auth",.."mod_setenv",.."mod_fastcgi",.).setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" ).#server.document-root = "/var/www/system".server.document-root = "/www".server.upload-dirs = ( "/var/run/lighttpd" ).server.pid-file = "/tmp/lighttpd.pid".server.groupname. = "root".server.username.. = "root".server.errorlog = "/tmp/lighttpd-error.log".server.port = 80.server.event-handler = "linux-sysepoll".server.network-backend = "writev".server.max-fds = 512.server.max-connections = 256.server.stat-cache-engine = "simple".server.max-keep-alive-requests = 8.server.follow-symlink = "enable".server.tag="".# server.use-ipv6 = "en

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\passwd Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	596
Entropy (8bit):	4.605599539194125
Encrypted:	false
SSDEEP:	12:fsMKjh5GEhWXhUkyKCMA+FnO+IQJ+pY3qMMH7qRCiNYktUVjNJ0:Yh5GEhHGfnO+spY6MtikmVjE
MD5:	A451888143DFCD81AAABD851BAC09AA7
SHA1:	9CA4D44AEEBFD9DB4641A1841E6B218C29561B34
SHA-256:	16CD77A47698D4929643F7FC9077C185A9998090EF322F36E82CCE49452BBABE
SHA-512:	DF43F18BEFFDA69BC196F5974763A882AEAF2AFF6A9F9AF10471597E51D95A87EF9747EBD11175D08CBB21940499563E1C775DB315A59957470FFC874B46B191
Malicious:	false
Preview:	root:x:0:0:root:/root:/bin/sh.daemon:x:1:1:daemon:/usr/sbin:/bin/sh.bin:x:2:2:bin:/bin:/bin/sh.sys:x:3:3:sys:/dev:/bin/sh.sync:x:4:100:sync:/bin:/bin/sync.mail:x:8:8:mail:/var/spool/mail:/bin/sh.proxy:x:13:13:proxy:/bin:/bin/sh.www-data:x:33:33:www-data:/var/www:/bin/sh.backup:x:34:34:backup:/var/backups:/bin/sh.operator:x:37:37:Operator:/var:/bin/sh.haldaemon:x:68:68:hald:/:/bin/sh.dbus:x:81:81:dbus:/var/run/dbus:/bin/sh.ftp:x:83:83:ftp:/home/ftp:/bin/sh.nobody:x:99:99:nobody:/home:/bin/sh.sshd:x:103:99:Operator:/var:/bin/sh.default:x:1000:1000:Default non-root user:/home/default:/bin/sh.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\php.ini Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	31242
Entropy (8bit):	4.905658442559905
Encrypted:	false
SSDEEP:	384:zDhqFY7HrNs86/W7/6f+O/XllDt/5RslfoEhKwgJ+v3Ewme:zDhq27Hhsxyift/XlNt/5RPzwpvpme
MD5:	068FD5AC3E07A683CB5F42C48F416523
SHA1:	7C08E390C06834894CE26F53AE029D4719A187D1
SHA-256:	1449D2E873F5211C3E392D2E800A0487914887A4994DAA0DF566444E0A6D6BCE
SHA-512:	1CEA2C4D559524E3567F847A743ABF9DAB90884C4C864C31A138172E223A658DC4070E4752DF3C61D0102356251B17F4D8021F4E97DC8A6F1E82800F3E6A2BAC
Malicious:	false
Preview:	[PHP].; display_errors.; Default Value: On.; Development Value: On.; Production Value: Off..; display_startup_errors.; Default Value: Off.; Development Value: On.; Production Value: Off..; error_reporting.; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED.; Development Value: E_ALL.; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT..; html_errors.; Default Value: On.; Development Value: On.; Production value: On..; max_input_time.; Default Value: -1 (Unlimited).; Development Value: 60 (60 seconds).; Production Value: 60 (60 seconds)..; output_buffering.; Default Value: Off.; Development Value: 4096.; Production Value: 4096..; register_argc_argv.; Default Value: On.; Development Value: Off.; Production Value: Off..; request_order.; Default Value: None.; Development Value: "GP".; Production Value: "GP"..; session.gc_divisor.; Default Value: 100.; Development Value: 1000.; Production Value: 1000..; session.hash_bits_per_

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\profile Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	1787
Entropy (8bit):	5.368843527677657
Encrypted:	false
SSDEEP:	24:90GQS/aeToL9rrpvcWKtoojYbXjWac3uC6cdiKNDBkDMWmRXQg8BTVNx56j/pjY8:90GA9BKtooiS68lNAgCVMLpjV7Syj
MD5:	8168697208A26B0F40D83E90B9927473
SHA1:	53FFEB47910C1415FA0104F06BF7720DCC9C5077
SHA-256:	A07AA92F1068DB8A5E273D51765D1D8E8EF0CC3C471A0049D367CF621B99EBED
SHA-512:	A6533109B77C7DCD6056078578E99EF154C9002B9D288584F2F66382A2B9FB82743B4938001F438008651DF1C23AD6CC7233023BF567B913916662F118F1DA67
Malicious:	false
Preview:	# ~/.bashrc: executed by bash(1) for non-login interactive shells...export PATH=\./bin:\./sbin:\./usr/bin:\./usr/sbin:\./usr/bin/X11:\./usr/local/bin:\./usr/sbin/allnet:\./opt/allnet:\./etc/scripts..# If running interactively, then:...export PS1="[\u@\h \W]\\$ "..alias ll='/bin/ls --color=tty -laFh'..alias ls='/bin/ls --color=tty -F'..export LS_COLORS='no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:ex=01;32:.tar=01;31:.tgz=01;31:.arj=01;31:.taz=01;31:.lzh=01;31:.zip=01;31:.z=01;31:.Z=01;31:.gz=01;31:.bz2=01;31:.deb=01;31:.rpm=01;31:.jar=01;31:.jpg=01;35:.jpeg=01;35:.png=01;35:.gif=01;35:.bmp=01;35:.pbm=01;35:.pgm=01;35:.ppm=01;35:.tga=01;35:.xbm=01;35:.xpm=01;35:.tif=01;35:.tiff=01;35:.mpg=01;35:.mpeg=01;35:.avi=01;35:.fli=01;35:.gl=01;35:.dl=01;35:.xcf=01;35:.xwd=01;35:';.. export USER=`id -un`. export LOGNAME=$USER. export HOSTNAME=`/bin/hostname`. export HISTSIZE=1000. export HISTFILESIZE=

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\proftpd.conf Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	4.961943652167098
Encrypted:	false
SSDEEP:	24:qNOPAcz0+FHW5eYUH56VLZKZv0KTmYCNhJqgMDW7xFWdvwx1fijff2cujQE4/rb6:jYcdWuY+M0Uj1r3wv12iGx
MD5:	47DB1DC31E6B70615A9A978885647365
SHA1:	E98E28CF7E3361907CCB9A36D524A81446725D4F
SHA-256:	3A44AA4835C03915F91DD9E0446D01B71B55B24C25D6EC027040B20D36DD0169
SHA-512:	148A8E73D963DFBA75CE86916659260A3B9AAF3CA50B21C119531C29D7A194F6BE0E0521847E464A1E41E1E2BB9B4B372CA649F118220206968D7B00C0E9074D
Malicious:	false
Preview:	# This is a basic ProFTPD configuration file (rename it to.# 'proftpd.conf' for actual use. It establishes a single server.# and a single anonymous login. It assumes that you have a user/group.# "nobody" and "ftp" for normal operation and anon...ServerName..."FTP server".ServerType...standalone.DefaultServer...on.RootLogin...on.TimeoutIdle 1440..Port 21..# Don't use IPv6 support by default..UseIPv6....off..# Umask 022 is a good standard umask to prevent new dirs and files.# from being group and world writable..#Umask....022..# To prevent DoS attacks, set the maximum number of child processes.# to 30. If you need to allow more than 30 concurrent connections.# at once, simply increase this value. Note that this ONLY works.# in standalone mode, in inetd mode you should use an inetd server.# that allows you to limit maximum number of processes per service.# (such as xinetd)..MaxInstances...30..# Set the user and group under which the server will run..User....root.Group....root.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\avahi.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	699
Entropy (8bit):	5.340432763688548
Encrypted:	false
SSDEEP:	12:MTAonNPUhayNPUhjD2R6v3/viGiWeBK6V3AUiWeMK6V3A5kBnAdptZaUz+nItPzd:MTjnKlKkQ3qGiWe80PiWeL0WkBnWHZa2
MD5:	C301560162670D280BAEFE8CB8D6D06A
SHA1:	29CF7AC88F5C5CD66B6836E9F7200BE89092CBA2
SHA-256:	34D0BFE0CD098AAB7B0499402D24EDBA2DF40B38396AD32B591329AA5C3ED481
SHA-512:	6569F72AFF2F76948ED2DBBAF724505726108EAF90E602966E1F2C6F0208387E7D264AF714D654EF20FBD6EED33BA83675D0098883A94789C40CC975669CAC80
Malicious:	false
Preview:	#!/bin/sh.#.# avahi-daemon init script.HOSTNAME=`/usr/sbin/allnet/sqldb_read /sys/network/hostname`.#ETH=`/usr/sbin/allnet/sqldb_read /sys/network/interface`.#MAC=`/sbin/ifconfig \| grep $ETH \| tr -s ' ' \| cut -d ' ' -f5 \| cut -b 10-17 \| tr -d ':'`.#HOSTNAMEMAC="${HOSTNAME}-${MAC}"..#sed -i 's/host-name=./host-name='${HOSTNAMEMAC}'/g' /etc/avahi/avahi-daemon.conf.sed -i 's/host-name=./host-name='${HOSTNAME}'/g' /etc/avahi/avahi-daemon.conf.DAEMON=/usr/sbin/avahi-daemon.case "$1" in. start)..$DAEMON -c \|\| $DAEMON -D..;;. stop)..$DAEMON -c && $DAEMON -k..;;. reload)..$DAEMON -c && $DAEMON -r..;;. *)..echo "Usage: S50avahi-daemon {start\|stop\|reload}" >&2..exit 1..;;.esac.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\cget.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	269
Entropy (8bit):	5.322358297497027
Encrypted:	false
SSDEEP:	6:h//d1rHyWGD5/FoB8Gw3GYgtIM0KCeRxS1dgOdvdjXotMr:5/3bytzyb6zKxkHq2
MD5:	C98FCA0BD625333BF9CFEF7C43AC8018
SHA1:	FCB1122EFE2A9A4C8A564D1992BD65B833E99911
SHA-256:	CCFA5A905BD7E95E06345F313077E996BF588FD2ADF734B2B094C1169C758058
SHA-512:	3722D8DF7A8F168018F14E892CFED0A6478CDCD2BAAD421D3B7DBDD4D4FBFDD4F6AE0F8755F35372718CFF6EF2844120854F3A6D61B304C869F3BF13F4F72E68
Malicious:	false
Preview:	#!/bin/sh.BASE="config".FIELD="tag, value".WHERE="tag".[ ${#2} -gt 0 ] && { BASE=$2; }.[ ${#3} -gt 0 ] && { FIELD=$3; }.[ ${#4} -gt 0 ] && { WHERE=$4; }.sqlite3 -init /etc/scripts/sqliterc /etc/allnetenv/config.s3db "SELECT $FIELD FROM $BASE WHERE $WHERE like '%$1%';".

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\checkupdate.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable, with very long lines
Category:	dropped
Size (bytes):	2408
Entropy (8bit):	5.270155531370698
Encrypted:	false
SSDEEP:	48:rtfFWvm3ujZH0hJ4pQjbVSqhVw5ws3yRyBWyw:rtfwvm3mZH0hJ4+tSqhDz1
MD5:	2A6017CF2FCD511E287E28F3EB5B8023
SHA1:	3FB49F60D3170464534A85561E913E4C0AC350A7
SHA-256:	D68A18FC1EC9CA383F34A69C28D0D75C833A4FA6EAA7D12EB494DC8BE3A19E38
SHA-512:	94BA2DCB72E351D8927E11A974B53F382A0FCB1AFDF7255053D74D0BA36823866BE5DEE1C07408C08AEAE839CE27AA70CF23BDD4534738D0A1D7F0A665101C92
Malicious:	false
Preview:	#!/bin/sh.export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt.URL="https://update.allnet.de/".DIR="/tmp/update".prepare() {. rm /tmp/update.result > /dev/null 2>&1. FIRMWARE=`cat /etc/default/version`. VERSION=`echo $FIRMWARE \| cut -d';' -f1 `. PATCH=`echo $FIRMWARE \| cut -d';' -f2 `. INTERFACE=`/usr/sbin/allnet/sqldb_read /sys/network/interface`. MAC=`/sbin/ifconfig \| grep $INTERFACE \| tr -s ' ' \| cut -d ' ' -f5`. UUID=`cat /etc/default/uuid`. DEVICETYPE=`/usr/sbin/allnet/sqldb_read /control/devicetype`. REVISION=`/usr/sbin/allnet/sqldb_read /sys/hardware/revision`. DATE=`/usr/sbin/allnet/sqldb_read /sys/firmware/datenum`. DEVICEDATE=`date`. RELOADLAST="false". FORMAT="false". CHECK="check". if echo $@ \| grep "user"; then CHECK="user"; fi > /dev/null. if echo $@ \| grep "short"; then FORMAT="true"; fi > /dev/null. if echo $@ \| grep "reload"; then RELOADLAST="true"; fi > /dev/null.}.check() {. prepare $1 $2. if [ ! -f /tmp/update.lock ] ;then. cleanprocess. f

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\cset Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	320
Entropy (8bit):	5.415584307558354
Encrypted:	false
SSDEEP:	6:h5nnpOdeGFEb9EYsk1NfpqEI6c5nqQDlUmH3Ysk1NfpqEI6c5G4ieRzQlq6n:vnSetbKYG6c5BhnXYG6c5DieRzQlq6n
MD5:	9AC719B9977B5794636BE8AD7CA273F4
SHA1:	27A5E1DE0FD3471816A8DF7E673E654FEA8075DC
SHA-256:	A1DC5AFFC2713CE8A9346CC0DD9C02DB5BEA95437C07AB10B58CB9D7A36F5D0E
SHA-512:	E91B5AC58270BDEBC378C3C2E3BF3B812AF3570C34A7C40B7CD1D9717B61772A9453B64944A320D3E71147CF632826767C28FDA2B4ABE54AE52A24FB8ECB1649
Malicious:	false
Preview:	#!/bin/sh.DBFILE="/etc/allnetenv/config.s3db".TABLE="config".if [ -n "$1" ] \|\| [ -n "$2" ] ;then..echo "INSERT OR REPLACE INTO $TABLE (tag, value) VALUES ('$1', '$2');"..[ -f $DBFILE ] && sqlite3 $DBFILE "INSERT OR REPLACE INTO $TABLE (tag, value) VALUES ('$1', '$2');".else..echo "USAGE: set {tag} {value}";..exit 1.fi.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\curlmail.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	878
Entropy (8bit):	5.374403397939404
Encrypted:	false
SSDEEP:	12:MoXHvj3rbJ2MWb0bgKb2wnbEnbTYtVSu1b82Sw3tBSIoXKR1EWwC1E:TvjbEMWgsKiU8AN1AASLKR+
MD5:	2FD739D3768B4D52EE5DAB7E517CB1C6
SHA1:	72DA973678A584D3CC0EEF1333AED68F258ABDDD
SHA-256:	C5E027358165E5D010081D61BF48E3882724626C57AD46982CF22F44F963BCED
SHA-512:	2EFD386D37C7C4DF697347F8941B70E984643BCE0E2A8362F6A3A6242C13E17EF6D3ED118E763B9B26AE2965CEA0F81BE0DD1D4DA2E36B366238F9104775E8B6
Malicious:	false
Preview:	#!/bin/sh.CURL_LOG="/tmp/mail.log".FROM=`/etc/scripts/get /sys/network/mail/sender`.SMTP=`/etc/scripts/get /sys/network/mail/smtp`.PORT=`/etc/scripts/get /sys/network/mail/smtpport`.USER=`/etc/scripts/get /sys/network/mail/user`.PASS=`/etc/scripts/get /sys/network/mail/pass`.STYP=`/etc/scripts/get /sys/network/mail/smtpssl`.DATE=`date +%d.%m.%Y`.TIME=`date +%H:%M:%S`.#SIG=`/etc/scripts/get /sys/network/mail/signature`.PROTO="smtp".[ ${STYP} -eq 0 ] && { PARAM=""; }.[ ${STYP} -eq 1 ] && { PARAM="--ssl";PROTO="smtps"; }.[ ${STYP} -eq 2 ] && { PARAM="--ssl --ssl-reqd"; }.#echo -e "\n$SIG\n" >> /tmp/mail.txt.sed -i 's/%D/'${DATE}'/g' /tmp/mail.txt.sed -i 's/%T/'${TIME}'/g' /tmp/mail.txt.curl $PARAM --insecure --mail-from "$FROM" --mail-rcpt "$1" --url $PROTO://$SMTP:$PORT -u "$USER:$PASS" --upload-file /tmp/mail.txt --anyauth --verbose --silent --show-error 2>$CURL_LOG.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\devicedaemons.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	734
Entropy (8bit):	4.616084380516708
Encrypted:	false
SSDEEP:	12:BvourdwK3pJFv5I56NFpiGwJVMfqB4WwMmTq6YJ6TKojxjpHo2RujROqdDe:BQu+Kpl06NFpOJmy4tqFqpt6Oqte
MD5:	E82B4CEA0D818A74BE113BA4C3C73A36
SHA1:	04597FC4273DFBB95CA5A2AA8D80DD7415BF698B
SHA-256:	6331C07EC3C432FA78495946E11B779FF3C8C445D6E825D07C32E5C23B09C5FF
SHA-512:	72649AE9418BDE4100096FE0392B07263C3E828F814B757125C66DFAB3015D1FBC05855A68614DAE1132851CDE164A057863DAB618E014BFF4DFFF10C6D07F45
Malicious:	false
Preview:	#!/bin/sh.CS="/etc/scripts/startstop.sh".daemons() {. cat /etc/default/daemons \| while read daemon; do. $CS $daemon $1. done < /etc/default/daemons. if [ -f /etc/default/commands ] ; then. ash /etc/default/commands. fi. if [ -f /etc/default/dependent ] ; then. cat /etc/default/dependent \| while read daemon; do. WAIT=$( echo "$daemon" \|cut -d\ -f2 ). START=$( echo "$daemon" \|cut -d\ -f0 ). sleep $WAIT. $CS $START $1. done < /etc/default/dependent. fi.}.case "$1" in. start). .daemons $1. .;;. stop). .daemons $1. .;;. restart\|force-reload). daemons $1. ;;. pid). daemons $1. ;;. *). echo $"Usage: $0 {start\|stop\|restart\|force-reload\|pid}". exit 3. ;;.esac.exit $?

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\dnsmasq.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2559
Entropy (8bit):	5.376669883823185
Encrypted:	false
SSDEEP:	48:JmIB095xqgSkRWUl0RQYqnDDRFBXsmdRxmEqJ+RzrBya:Jmky5xnSkRWiaQhnDDRHXsmvxmEqcF5
MD5:	E1F11476062F701B695F14192B58422C
SHA1:	24119A47841A2902DF3B702DB63EB14F26C25E1B
SHA-256:	E6F83331AA3A271782821A8BC99A1A7FF7FFD452BBFB4C863AFA08BB58526405
SHA-512:	C5056860B55689952DD8EA4F259E272A47AAC03C8BD34C1170A8397521D55F0065CBEC2918ECF3B10358147D32087A0EB549E3D78C4648AD57D2A50DA4BCACC6
Malicious:	false
Preview:	#!/bin/sh.#.# $Id: dhcp3-server.init.d,v 1.4 2003/07/13 19:12:41 mdz Exp $.#.# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?.# Separate multiple interfaces with spaces, e.g. "eth0 eth1"..#INTERFACES="br0"..# It is not safe to start if we don't have a default configuration....#echo "/etc/init.d/dhcp-server not yet configured! - Aborting...".#exit 1;.ENABLE=`/etc/scripts/get /sys/network/udhcpd/enable`.IFACE=`/etc/scripts/get./sys/network/udhcpd/iface`.LEASEFILE=`/etc/scripts/get ./sys/network/udhcpd/leasefile`.PIDFILE=`/etc/scripts/get ./sys/network/udhcpd/pidfile`.AUTOTIME=`/etc/scripts/get ./sys/network/udhcpd/autotime`.DOMAIN=`/etc/scripts/get ./sys/network/udhcpd/domain`.ROUTER=`/etc/scripts/get ./sys/network/udhcpd/router`.STARTIP=`/etc/scripts/get ./sys/network/udhcpd/startip`.STOPIP=`/etc/scripts/get ./sys/network/udhcpd/stopip`.SUBNET=`/etc/scripts/get ./sys/network/udhcpd/subnet`.DNS1=`/etc/scripts/get ./sys/network/udhcpd/dns1`.DNS2=`/etc/scripts

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\dropbear.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1768
Entropy (8bit):	5.163438393821446
Encrypted:	false
SSDEEP:	24:BmK+AIKs4xKtDKAqK8iTO2A7BnRDO5DHnMI0mVJW8Y2qm5cy:Bn+YctGArzTqBnRDO5DHh0aJWyqm5cy
MD5:	1D06CECA34AA3FC784519C6A1ED182BF
SHA1:	40AA9460A1F21067B472736DBE1B6B8891129660
SHA-256:	B972453086B34B68A6ABEAEEA7B27572CB767489CD00DFD9AE6A6F34ABB0E33C
SHA-512:	D0EDE5A1A1E3E6F8358858DCC2B3D49AF561CD4E766DD2B76F08ED43D75E87CA038DAE15246683226BA9C2C8301A4DE908735C5A1F8F187BE504556B7F655323
Malicious:	false
Preview:	#!/bin/sh.#.# Starts dropbear sshd..#.ENABLED=`/usr/sbin/allnet/sqldb_read /sys/network/sshd/enabled`.INIT=`/usr/sbin/allnet/sqldb_read /device/language`.DEVTYPE=`/usr/sbin/allnet/sqldb_read /control/devicetype`.DEVNAME=`/usr/sbin/allnet/sqldb_read /control/devicename`.LOGINPROMPT=`/usr/sbin/allnet/sqldb_read /sys/network/sshd/loginprompt`.if [ $INIT = "INIT" ] ; then..ENABLED=1.fi.# Make sure the dropbearkey progam exists.[ -f /usr/bin/dropbearkey ] \|\| exit 0..start() {..if [ ${ENABLED} = "1" ] ; then...echo -e "$DEVTYPE $LOGINPROMPT\n\nDevicename: $DEVNAME\n\n" > /etc/issue. ..echo -n "Starting dropbear sshd: "...# Make sure dropbear directory exists...if [ ! -d /etc/dropbear ] ; then....mkdir -p /etc/dropbear...fi...# Check for the Dropbear RSA key...if [ ! -f /etc/dropbear/dropbear_rsa_host_key ] ; then....echo -n "generating rsa key... "..../usr/bin/dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1...fi....# Check for the Dropbear DSS key...if [ ! -f /etc/

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\dtool.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	a /bin/ash script, UTF-8 Unicode text executable
Category:	dropped
Size (bytes):	4250
Entropy (8bit):	5.350853833830543
Encrypted:	false
SSDEEP:	96:+zAc6n4Uv7h9pLl2rDx1OY81q9OBz9OTulXfEdPfEdLNqiF3:1Dh9pLl2rDx1OY79c9cwXfEdPfEdYiF3
MD5:	B12AF4FCE2E7159F869ADBE88E7B0D4C
SHA1:	FE426635043E8F6FEF7AC9FF6CF936561F121A1F
SHA-256:	B80584FD75A6E57C5DA68D7B2E5EF001E2FD1B9D10622E0DA1DEB8ECD67A99DA
SHA-512:	3BA9396CA0C58ECF7CD1CFB366718C2BDEB8DE16BA55BB678929319BD155E7EA40DD59CA8F29C277768C62477421D1EE62D2F581069921A0CFB3C7915FB168F5
Malicious:	false
Preview:	#!/bin/ash.VERSION="0.22".PLATFORM=`get /sys/platform`.DEVTYP=`get /control/devicetype`.printf "\e[96m%-15s\e[32m%s\e[0m\n" "DaemonTools: " "$VERSION".printf "\n\e[96m%-15s\e[32m%s\e[0m" "Platform: " "$PLATFORM".printf "\n\e[96m%-15s\e[32m%s\e[0m" "Device Typ: " "$DEVTYP".if [ ! -z $1 ]; then..case $1 in...start\|stop\|restart)....printf "\n\e[96m%-15s\e[32m%s\e[0m\n\n" "Aktion: " "$1"....cat /etc/default/daemons > /tmp/daemons.tmp....cat /etc/default/dependent >> /tmp/daemons.tmp....i=1....while read daemon; do....if [ "$i" -le 9 ]; then.....printf "\e[1;32m%-5s\e[0m\e[97m%s\e[0m\n" "0$i " "$daemon"....else.....printf "\e[1;32m%-5s\e[0m\e[97m%s\e[0m\n" "$i " "$daemon"....fi....i=$(($i+1))....done < /tmp/daemons.tmp....if [ ${DEVTYP} = "ALL3690" ]; then.....printf "\n\e[1;32m%-5s\e[0m\e[97m%s" "30 " "ALL3690 S0"....fi....if [ ${DEVTYP} = "ALL3691" ]; then.....printf "\n\e[1;32m%-5s\e[0m\e[97m%s" "31 " "ALL3691 D0".....printf "\n\e[1;32m%-5s\e[0m\e[97m%s" "32 " "ALL3691 S0"....fi....if [

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\factory_reset.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	93
Entropy (8bit):	4.457718060489596
Encrypted:	false
SSDEEP:	3:TKH4vGegVBmQOF71GKhURhBADXRdLXTNOXY:hevmLbGKeRQrPTTN4Y
MD5:	F6C16EDEEC963449B42F92D4C056FB07
SHA1:	171A0A089A7BBFE12302B0F12DEA9A6A25133848
SHA-256:	05125FC552E1766AD5EB8409A9ADBD0E596464E092C634E8240F49B112FFDE9A
SHA-512:	3C5F8617589F21FBCE3FC20EAB6FD98BC6B077EC4767D0065B4F3ABEF84300DAC4BD61CB1E3FAC0802D91FC7ECF88B64901DB5CB932EB1BC5F3482C8ABE1786C
Malicious:	false
Preview:	#!/bin/sh./etc/init.d/S70daemons stop.sleep 3./etc/scripts/gendefaultconfig.sh.sleep 3.reboot

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\fget Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	175
Entropy (8bit):	5.219946585275294
Encrypted:	false
SSDEEP:	3:TKH4vhnnp6uGdZYtLQKCSACSIJQDHWUJ8FBlJjDBjBBsOFySUytgcMlJ:h5nnpOdefdQDlUddjXHfrtMr
MD5:	174516C9584D791747F99D9ED89C00EB
SHA1:	36EB751E801C52174DFDC57DEEF6E0DF34AA58F8
SHA-256:	B1F4704B74A786E9AD6B87C1B0D38357412DDBC204A11B13F417C7C9978B627F
SHA-512:	61022F4BE7B7D6C45A4EFC16F99F3577624C4C0174A32A4AA5A39597E2F35D917A0BA0270EDD50D38302570FE953288A798524ED5D316BB452F10CE6F49438EE
Malicious:	false
Preview:	#!/bin/sh.DBFILE="/etc/allnetenv/config.s3db".TABLE="config".FIELD="value".WHERE="tag".[ -f $DBFILE ] && sqlite3 $DBFILE "SELECT $FIELD FROM $TABLE WHERE $WHERE like '%$1%';".

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\gendefaultconfig.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1137
Entropy (8bit):	5.0004775554401135
Encrypted:	false
SSDEEP:	12:OjKRxaeLKH1VQ/F/W93ofQaDqQl5QSFQaDDQFg02ZFTL6swfVQASFWsKTxQTi9Os:gyEe9Nk3on7PrQ7TxQTaOeGDqrIHmHdn
MD5:	42D966BEBDE3930135C7C393BFD2037C
SHA1:	ACDA019353DC615AAB235F69B634577E7217D00E
SHA-256:	2E75D0FF31AF4094DD06C8E9C77E156A2E05FBAECAF468EE86AA83B572CCD542
SHA-512:	8834FE8C977CC5E49F7FD17A26E9C1DFD3A8F9035043E918F74EBA9559EFDA2235F3F9C7BAD0A4257D88ED76F5146D9A8A94860673B1C36EADFF77A85BB09E73
Malicious:	false
Preview:	#!/bin/sh.DEVTYP=`cat /etc/default/device`./etc/init.d/S70daemons stop.if [ -f "/etc/allnetenv/config.s3db" ] ; then..rm /etc/allnetenv/config.s3db..echo 'INFO SQLITE DB: config.s3db found and deleted'.fi.rm -rf /etc/allnetenv/sensorhistory_ts_.rm -rf /etc/allnetenv/log/day-0/.rm -rf /etc/allnetenv/log/day-1/.rm -rf /etc/allnetenv/log/day-2/.rm -rf /data/.csv.rm -rf /data/pm/.csv.rm -rf /data/el/.csv.if [ -f "/etc/lighttpd/conf.d/remote_access.off" ]; then..mv /etc/lighttpd/conf.d/remote_access.conf /etc/lighttpd/conf.d/remote_access.on..mv /etc/lighttpd/conf.d/remote_access.off /etc/lighttpd/conf.d/remote_access.conf.fi.cp -p /etc/default/config_default.s3db /etc/allnetenv/config.s3db.cp -p /etc/default/accessHelper.json /etc/allnetenv/accessHelper.json.echo 'INFO SQLITE DB: config.s3db from config_default.s3db generated'./etc/scripts/setpass.sh root PortaLuce23./etc/scripts/setpass.sh ftp PortaLuce23*.if [ ${DEVTYP} = "ALL3653" ] ; then..rm -rf /opt/flowcontrol..if [ -f "/et

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\get Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	173
Entropy (8bit):	5.18912942909637
Encrypted:	false
SSDEEP:	3:TKH4vhnnp6uGdZYtLQKCSACSIJQDHWUJ8FBlJjDBjBBsOFySUytgcMkUV:h5nnpOdefdQDlUddjXHfrtMkO
MD5:	1517D6C7B6FCAAECD8C51694CB364AD0
SHA1:	A9A161846F6C5AADF3D96C563A8F7262835468BB
SHA-256:	75A9155766542C0C0D973EB4B370B4C60912A4F24883E477157F56659F1D4708
SHA-512:	7D2A31887AC4AE8671386EA1542CE2712FEECED81565A10794BAD0025037014E6D24ACD9E27BD1A57640F4A04B1AD955FDF425949BD7E24AADAD9F17602230BB
Malicious:	false
Preview:	#!/bin/sh.DBFILE="/etc/allnetenv/config.s3db".TABLE="config".FIELD="value".WHERE="tag".[ -f $DBFILE ] && sqlite3 $DBFILE "SELECT $FIELD FROM $TABLE WHERE $WHERE like '$1';".

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\httpdConfig.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.700815129331847
Encrypted:	false
SSDEEP:	3:TKH4vQYvcLHyx7IEj5CN3V8E:hDEr8IEj5O3V8E
MD5:	B84AB7D272AF2A3CCD3AD150183C8AF8
SHA1:	5C5878F75E8A763F95A0EEE590C1ABC6C37011FE
SHA-256:	5D91F23DA2A682E9CD3D589EAED853BF0D0D5016B5877FD91E55E75EF3853E96
SHA-512:	E72AB46310CD04AF971E93983AD57E97418EB6862196A2B5CD21B511D504D9317FA7D100CC77EC37DAF24E1223EC620D2AD1413F6AECF2F5020294D65B283C00
Malicious:	false
Preview:	#!/bin/sh.usleep 10000 .kill -TERM $(cat /tmp/lighttpd.pid).

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\lan.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1381
Entropy (8bit):	5.160054208670794
Encrypted:	false
SSDEEP:	24:mmKCtKfKlKTKFK6mKXvgKvOkSJ4X24wdL5LSnSOJack4V4Py0u:WC4Cw2Q6nxv+dUSaWy0u
MD5:	3A90307DC171119C99BC58BD100923BF
SHA1:	4E48485EF54EF59B9B16B5E68796EFCF5A8039F1
SHA-256:	81C2DBD549FA21065790DA0ED87BB4C75853024F102F7E06201A46C0413B4E0C
SHA-512:	58A8063AC9D5088A479993EB6747691EE00582E742E2E7DD1927F7A0A91B8331206C531C47328752069A346326C68B27EE30D1D84C4172A2323B2D9CB1747D3D
Malicious:	false
Preview:	#!/bin/sh..IP=`/usr/sbin/allnet/sqldb_read /sys/network/lan/ipaddress`.NETMASK=`/usr/sbin/allnet/sqldb_read /sys/network/lan/netmask`.GW=`/usr/sbin/allnet/sqldb_read /sys/network/lan/gateway`.HOSTNAME=`/usr/sbin/allnet/sqldb_read /sys/network/hostname`.DNS1=`/usr/sbin/allnet/sqldb_read /sys/network/lan/dns1`.DNS2=`/usr/sbin/allnet/sqldb_read /sys/network/lan/dns2`.HWID=`/usr/sbin/allnet/sqldb_read /sys/hardware/numeric_model`.ETH=`/usr/sbin/allnet/sqldb_read /sys/network/interface`.case $1 in.. .start)..echo -e "\033[01;33m[lan] -- Start network...\033[01;0m"..ifconfig ${ETH} 0.0.0.0 up..brctl addif br0 ${ETH}../sbin/ifconfig br0 ${IP} netmask ${NETMASK} > /dev/null 2>&1..route delete default..route add -net 0.0.0.0 netmask 0.0.0.0 gw ${GW}..if [ ${HWID} = "5000" ] ;then.../usr/sbin/allnet/lcd_write 0 `hostname`.../usr/sbin/allnet/lcd_write 1 `ifconfig br0 \| grep "inet addr:" \| cut -f1 -dB \| cut -f2 -d:`..fi..echo "search allnet.local" > /etc/resolv.conf..echo "nameserver $DNS1" >> /et

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\laststate.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.507788548248957
Encrypted:	false
SSDEEP:	24:Z+So3i3tbY3tH303tHoS4G4A4tX8P93dETkdETdj939B4B45Y4B4te/Md/MNsG0:3o3i3RY3Z303ZoS4G4A4tX8P93dETkdn
MD5:	168C1B54036DDA2EF2C4D7E54CA598D8
SHA1:	1DB0C6E8F0B76AACA09E95CE63B85F7CEA3454EA
SHA-256:	3C1A91EC5C98214DA7EA615C3F4CA85F797191C1E0BAB034DE1A63C157D21C30
SHA-512:	AF99E6EBCFB31DB95712BA071C067E9AF8B84EA97023052E847E8E4D1BE83037FAECE88DC5C1AF64CE3189BE83721327D2A7A9D59A4CCF2AF903F1702635DEDF
Malicious:	false
Preview:	#!/bin/sh./bin/chmod -R 775 /usr/sbin/./bin/chmod -R 775 /usr/sbin/allnet/./bin/chmod -R 775 /etc/init.d/./bin/chmod -R 775 /www/.rm -rf /usr/lib/libcurl.so.rm -rf /usr/lib/libcurl.so.4.rm -rf /usr/lib/libcurl.so.4.2.0.ln -s /usr/lib/libcurl.so.4.3.0 /usr/lib/libcurl.so.4.ln -s /usr/lib/libcurl.so.4.3.0 /usr/lib/libcurl.so.rm -rf /usr/lib/libpcre.so.rm -rf /usr/lib/libpcreposix.so.0.0.0.rm -rf /usr/lib/libpcreposix.so.rm -rf /usr/lib/libpcreposix.so.0.rm -rf /usr/lib/libpcrecpp.so.0.0.0.rm -rf /usr/lib/libpcrecpp.so.rm -rf /usr/lib/libpcrecpp.so.0.ln -s /usr/lib/libpcre.so.1.2.5 /usr/lib/libpcre.so.ln -s /usr/lib/libpcre.so.1.2.5 /usr/lib/libpcre.so.1.ln -s /usr/lib/libmcrypt.so.4.4.8 /usr/lib/libmcrypt.so.ln -s /usr/lib/libmcrypt.so.4.4.8 /usr/lib/libmcrypt.so.4.ln -s /usr/lib/libpcreposix.so.0.0.3 /usr/lib/libpcreposix.so.ln -s /usr/lib/libpcreposix.so.0.0.3 /usr/lib/libpcreposix.so.0.ln -s /usr/lib/libpcrecpp.so.0.0.1 /usr/lib/libpcrecpp.so.ln -s /usr/lib/libpcrecpp.so.0.0.1 /us

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\lightly.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	76
Entropy (8bit):	4.819910079062262
Encrypted:	false
SSDEEP:	3:TKH4v++FiFBUFIstJ9iy8Ix7IEj5CN3V8E:h8QXJo+IEj5O3V8E
MD5:	3F48849B89F949EBB326EAE7DDF3CFA7
SHA1:	04EF2B2510D4ABC008A76FFB7E4FC9AB0689D1A3
SHA-256:	30D894DF50B6D608D254393889151603B1B032F98416F4F150966B25BE9EC8F8
SHA-512:	2188DB2627DC053A0789EC724682521D64C28D2ACF19E6434843ED72C694F691D91CB595869A366C1FE183152B34AECD2390B4E0BEE7BB964D7422DEB9946ED0
Malicious:	false
Preview:	#!/bin/sh.[ ! -z $1 ] && { usleep $1; }.kill -TERM $(cat /tmp/lighttpd.pid).

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\mem Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	474
Entropy (8bit):	4.9643256742219135
Encrypted:	false
SSDEEP:	12:GGK4q3o+TQ3SAArF+Tj3o+Tcm3SAArF+TcWRLM69sLR+be:yPQClrKjPJClrKrt2ae
MD5:	4B9541CE5EA2A912646D6A5B903AB531
SHA1:	CD9AAFC329F96D3BE2A2355064B43251BB26A65E
SHA-256:	227A73C4AF05D0F81C87F3B4AAD0BF52EC620D1668C0354C005E5C2BAD2FA383
SHA-512:	0CA0486BA8672EC9584F1B1330E9F5C9A0D780F9CC1ACE7146AC57634BE43807366A9D92B629BF104BE3089BCDB49A362B86AEDEF7E521785EA21C8805FA91E5
Malicious:	false
Preview:	#!/bin/sh..# (^ )(.) kB..#T=`cat /proc/meminfo \| grep MemTotal: \| cut -d ':' -f2 \| sed 's/^ //g'`.#F=`cat /proc/meminfo \| grep MemFree: \| cut -d ':' -f2 \| sed 's/^ //g'`.T=`cat /proc/meminfo \| grep MemTotal: \| cut -d ':' -f2 \| sed 's/^ //g' \| sed 's/ kB//g'`.F=`cat /proc/meminfo \| grep MemFree: \| cut -d ':' -f2 \| sed 's/^ //g' \| sed 's/ kB//g'`.#U=$(expr $T-$F).printf "Total:\t$T\n".printf "Free:\t$F\n".printf 'Used:\t%s\n' "$(( $T - $F))".#printf "Used:\t$U\n".

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\networking.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1681
Entropy (8bit):	5.27060490779872
Encrypted:	false
SSDEEP:	24:nKcmKXvmoktFPzHCD1Wgz4X24wGE9N1qC1z7k4jR4P1DkVUm3:Kcnq/4W2GmDy1g6m3
MD5:	E5CF876572D59B41ACEA4E2ECABF257B
SHA1:	A78E0AF896E09FEE01256FF7964E16E00CEF0A86
SHA-256:	AA94758409DC9CBB1611947C5300511A51031007C991899EC454B700210FAEF7
SHA-512:	3476E1B98D0F848ECE4B2B9F891F9057312509B4EBDE56993E7BE9EDFA8F55438DC9343E0741F3795912CF5206562B613C4F85F813620F9DC816E00BA0C7F88F
Malicious:	false
Preview:	#!/bin/sh.HOSTNAME=`/usr/sbin/allnet/sqldb_read /sys/network/hostname`.HWID=`/usr/sbin/allnet/sqldb_read /sys/hardware/numeric_model`.case "$1" in.start)..echo -e "\033[01;33m[NETWORKING] -- START\033[01;0m"..echo -e "\033[00;32mStart LAN\033[00;0m" > /dev/console../etc/scripts/lan.sh start..> /dev/console..echo -e "\033[00;32mStart WLAN\033[00;0m" > /dev/console../etc/scripts/wlan.sh start..> /dev/console..echo -e "\033[00;32mStart DHCP\033[00;0m" > /dev/console../etc/scripts/udhcpc.sh start..> /dev/console../etc/scripts/test_gateway.sh..if [ "$?" = "0" ] ;then. echo -e -n "\033[01;33m[S50] -- Set time -> \033[00;32m". /usr/bin/ntpdate -t5 -p1 pool.ntp.org. fi..echo -e "\033[00;32mStart NTP\033[00;0m" > /dev/console..if [ ${HWID} = "5000" ] ;then.../usr/sbin/allnet/lcd_write 0 `hostname`.../usr/sbin/allnet/lcd_write 1 `ifconfig br0 \| grep "inet addr:" \| cut -f1 -dB \| cut -f2 -d:`..fi..;;.stop)..echo -e "\033[01;33m[NETWORKING] -- STOP\033[01;0m"..echo -e "\033[0

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\nodtest.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	308
Entropy (8bit):	4.749234870788986
Encrypted:	false
SSDEEP:	6:hqasXGLsCsBW/1GjwuXjP0yyT/Y7/xVnwj99JSTSunyd3LM9kLZV:8asXGLxsBWNcbXjPhy0NNCBSTAd3Gkf
MD5:	DEF2B13770867E32BFC816B8BBDD0247
SHA1:	30BDCBF272D693EA0F645CD1D4133A9CC4F11661
SHA-256:	44FB76657478B1A4E2336D5559D4BA527BE3CA18CC0960E5BE10A49CF040549B
SHA-512:	395D16C5CA94769C00A6ED086E3FE55B3F37CB432DEE8C37BAF925F40C81748572550CF8FBA960183EC9EBE1D7A20F76317A88D17CDB660F4B566A182CA6621A
Malicious:	false
Preview:	#!/bin/sh.check="/dev/ttyUSB"..checkDevice() {.if [ -c "$1" ].then. echo "$1 is a character device. [OK]".else. echo "$1 is anything else. [DELETE $1]". rm -rf $1. echo "Create character device $1". mknod -m 666 $1 c 188 $2.fi.}.for i in `seq $1 $2`;.do. device="$check$i". checkDevice $device $i.done

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\ntp.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1450
Entropy (8bit):	5.322022173745269
Encrypted:	false
SSDEEP:	12:aapu4Ln5xGNwkHlH1kBjAdQRD8FfGhL6ugsGyJGbQI3f5ijILgsaaj5iGGxvLgsV:aaphGZqBdRDNLAn3fuM37zsKjVU
MD5:	7370C1570CC4712B5B483FB69B6E65AC
SHA1:	B55E7041FBF53DC1BE4FE605632F440E547D127C
SHA-256:	78B1749624E64B472B1E356DC4EC4A287DBCE836A727D1AD643865C071DDD04D
SHA-512:	B2F68FD0D25F3FBA0618F225115698269826CD58BBEEB5F1E16AAC8E5B000DF4CD0389A4743323FDCF62A8490BB5879934D8E5DFEB72D60A48D6A680D4B23B85
Malicious:	false
Preview:	#! /bin/sh.#.# System-V init script for the openntp daemon.#..PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin/allnet.DESC="network time protocol daemon".NAME=ntpd.DAEMON=/usr/sbin/$NAME.NTPDATE_BIN=/usr/bin/ntpdate..# Gracefully exit if the package has been removed..test -x $DAEMON \|\| exit 0..# Read config file if it is present..if [ -r /etc/default/$NAME ].then... /etc/default/$NAME.fi..case "$1" in. start). .echo -e -n "\033[01;33m[NTP] -- \033[01;0m"..if [ -x $NTPDATE_BIN ] ; then...echo -e "\033[00;32mGetting initial time via ntp\033[00;0m" > /dev/console...$NTPDATE_BIN $NTPDATE_OPTS $NTPSERVERS > /dev/null 2>&1..fi..echo -e "\033[00;32mStarting $DESC: $NAME\033[00;0m" > /dev/console..start-stop-daemon -S -q -x $DAEMON..;;. stop). echo -e -n "\033[01;33m[NTP] -- \033[01;0m". echo -e "\033[00;32mStopping $DESC: $NAME\033[00;0m" > /dev/console..start-stop-daemon -K -q -n $NAME..;;. reload\|force-reload). echo -e -n "\033[01;33m[NTP] -- \033[01;

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\ntpdate.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.080816000769497
Encrypted:	false
SSDEEP:	6:hm4o0JJSB0PJRnFh0v1K/XCvlqiAlvpazS2E4AJJEA+4z:AK/wAiAl4zflAJ3+4z
MD5:	95A42AA8D9781911112612E4EC4A9463
SHA1:	704CFDAF8EAE321FBF746712A771BC2A6B788D0F
SHA-256:	AF3F2916323AB9599B7AA12D299FC6F6E39D5871A76CB25ED9DC77F392B2D844
SHA-512:	63DB99772222B9788111FE30EF5CD660CEC660640E57B03FD203C73F401E730A1D848C9C58B43968C4E4E571D4E8FA4573F5B17CF455452803128B2BE6898F5B
Malicious:	false
Preview:	#!/bin/sh.if [ -z ${1} ]; then. if [ -f /etc/ntp.conf ] ; then. NTPSERVERS=`cat /etc/ntp.conf \| cut -d ' ' -f2 \| xargs`. else. NTPSERVERS="pool.ntp.org ntp0.fau.de". fi.else. NTPSERVERS=$*.fi.echo -e "Time Servers used: $NTPSERVERS\n" > /tmp/ntp.log./usr/bin/ntpdate -t5 -p1 $NTPSERVERS >> /tmp/ntp.log 2>&1 &.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\offlineupdate.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2704
Entropy (8bit):	4.934447135275207
Encrypted:	false
SSDEEP:	48:HG12sjFrBY1HBAUNzNC/xBuHuVsp9Y/kJ5BBfydD/Bhz2XE7BNYB1DnXB6mBOBW4:HGfjM1+UN4mHudQ6DDXsIiOBHQXchf
MD5:	E98E42B65DE3C5353D3D6228E8289AB0
SHA1:	DF3CD8688698EB967DB09E8FA780F4AC6A0CEFB0
SHA-256:	0911781A03624C972288F16E159333074A4401558189B967D7289D219BD904F5
SHA-512:	685BE26A88BDE31C29C6C3BD478898A04F7189B85AE0A12136072E92FC4B67534D9C4C70D9DCADAFED39EF4B63F8777387BBB7199DF25F54577F1417335597DF
Malicious:	false
Preview:	#!/bin/sh.HW=`/usr/sbin/allnet/sqldb_read /sys/hardware`.DIR="/tmp/update".PATCHFILE="/tmp/update.zip".PROCESS="/tmp/update.process".MINMEM=1000.URL="https://update.allnet.de/v3/"..extract() {. unzip -o -q $PATCHFILE -d $DIR/ >> $PROCESS 2>&1. if [ $? -eq 0 ] ;then.. if [ ! -f $DIR/patch.inf ] \|\| [ ! -f $DIR/desc.txt ];then...echo "004# No information files found" >> $PROCESS...cleanprocess 4.. else...chmod -R 775 $DIR/...chown -R root:root $DIR/...rm /tmp/update.lock > /dev/null 2>&1...exit 0.. fi. else. echo "005# Extract error - No files found" >> $PROCESS. cleanprocess 5. fi.}...cleanprocess() {. rm /tmp/update.lock > /dev/null 2>&1. rm /tmp/update.result > /dev/null 2>&1. rm /tmp/update.zip > /dev/null 2>&1. rm -rf $DIR > /dev/null 2>&1. exit $1.}..runupdate() {. if [ -f /tmp/update.lock ] ;then. echo "PROCESS RUNNING ! ABORT !". exit 255. fi. if [ ${HW} = "arm" ] ;then. MEM=`/bin/df /tmp \| grep "/tmp" \| tr -s ' ' \| cut -d ' ' -f4`. else. MEM=`/

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\proftpd.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	696
Entropy (8bit):	5.1161656080943265
Encrypted:	false
SSDEEP:	12:5NPUhmdK8K+CBBi+eqF+NtTNsoeqircPSoVUTZDWghJ1ma4ORtFh+oqvRiQLglKN:5Kl+CBwoZiKDvEJQbs2k
MD5:	709B71AA8A5A53FA7B529336929E34C9
SHA1:	43887562147425E7349BF40E070530C55578BAE0
SHA-256:	9F4A452023738F8EB739CFF1BB72563FD7ECCDA41C0BA3978875B0490042222B
SHA-512:	5129E717E653B6CC4DD3CBEE3FB8B0980F765BE4573DAC296A9CBA439D5C5B4E63A9A6670E1E9F14EB20C976E53DCDFD78C253C9534655E504697A284CADD71D
Malicious:	false
Preview:	#!/bin/sh.PORT=`/usr/sbin/allnet/sqldb_read /sys/network/ftp/port`.sed -i 's/Port ./Port '${PORT}'/g' /etc/proftpd.conf..DAEMON=/usr/sbin/proftpd.trap "" 1.trap "" 15.test -f $DAEMON \|\| exit 0.[ ! -d /var/run/proftpd ] && mkdir /var/run/proftpd.[ ! -f /var/log/wtmp ] && touch /var/log/wtmp..start() {..echo -n "Starting ProFTPD on Port "$PORT..$DAEMON..if [ $? != 0 ]; then...echo "FAILED"...exit 1..else...echo "done"..fi.}..stop() {..echo -n "Stopping ProFTPD"..killall -9 proftpd. echo "done".}..case "$1" in. start)..start..;;.. stop)..stop..;;.. restart). .stop. .start..;;.. )..echo "Usage: /etc/scripts/proftpd.sh {start\|stop\|restart}"..exit 1..;;.esac..exit 0.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\reconfigure_wlan.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3886
Entropy (8bit):	5.319014338936497
Encrypted:	false
SSDEEP:	48:Nvc5G870FoF0FHaFPxZ6xrfi0krRLnwl0M1sJRSNn/A0M1s2RSNn/30M1eJRSNnT:Nvc5Gs0quUF3655U0Ev17VXjw
MD5:	2389A48CD1A73D1A8C2A6D4CA9F8665A
SHA1:	E592080C4C8B386148B512677CF13E7F5A0A0CAF
SHA-256:	D0214EAF92C1F5BC7E4D4948542A96BBB45EF9B3AC4E60480A14EA81D44C7009
SHA-512:	31B2FC26F306FE8B18DBCD8F59B4E5203A78CC74B50A226F9CAF1FDEE7AACE2E474F571CFE1E1E401EE7F4DA69E4F53319B4B06A566C1A68C4ECC4CD0F7AC09B
Malicious:	false
Preview:	#!/bin/sh..WLAN_MODE=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/mode`..WLAN_AUTHMODE_AP=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/ap/authmode`.CHANNEL_AP=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/ap/channel`.ENCKEY_AP=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/ap/enckey`.SSID_AP=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/ap/ssid`..WLAN_AUTHMODE_STA=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/sta/authmode`.CHANNEL_STA=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/sta/channel`.ENCKEY_STA=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/sta/enckey`.SSID_STA=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/sta/ssid`..if [ ${WLAN_MODE} = "disabled" ] ;then...iwpriv ra0 radio_off..brctl stp ra0 off..fi..if [ ${WLAN_MODE} = "ap" ] ;then...iwpriv ra0 set Channel=$CHANNEL_AP..iwpriv ra0 set SiteSurvey=1...if [ ${WLAN_AUTHMODE_AP} = "SHARED-WEP" ] ;then...iwpriv ra0 set AuthMode=SHARED...iwpriv ra0 set EncrypType=WEP...iwpriv ra0 set IEEE8021X=0...iwpriv ra0 set KEY1=$ENCKE

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\restore.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1362
Entropy (8bit):	5.056271736698825
Encrypted:	false
SSDEEP:	24:u4Ux+6N6S63A8HMZM8o9vJA8LK83lQhpq9xnIVJAlnIZnI3pnIyS:w06nh0P64nIqnIZnIZnIyS
MD5:	6B459CF98A4750CF63FC18FA5DB10E9B
SHA1:	2E1025175E56F9470D08D9FC4E79800232057D31
SHA-256:	37193A2426E7743231CA582BE36047755423E79D81808A575AC73897B4BFD290
SHA-512:	C6EC4D80873CA0150DCB8EFA3E4935C408F1737FD24C1C7B3785D325358BCC9D2330D0BF4644EC0A997F00C73A4115D12AFB3506BB704774ED2834771BFAEB22
Malicious:	false
Preview:	#!/bin/sh./etc/init.d/S70daemons stop &> /dev/null.rm -rf /etc/allnetenv/sensorhistory_ts* &> /dev/null.rm -rf /etc/allnetenv/log &> /dev/null.cp -rpf /tmp/restore/data / &> /dev/null.cp -rpf /tmp/restore/www / &> /dev/null.cp -rpf /tmp/restore/etc / &> /dev/null.if [ -d "/tmp/restore/opt" ] ; then..cp -rpf /tmp/restore/opt / &> /dev/null..cp -rpf /tmp/restore/wwwuser / &> /dev/null.fi.cp -rpf /etc/default/config_default.s3db /tmp/restore/confignew.s3db &> /dev/null.if [ -f "/etc/scripts/restoreupd.sql" ]; then../usr/bin/sqlite3 /tmp/restore/restore.s3db ".read '/etc/scripts/restoreupd.sql" &> /dev/null..sleep 1.fi./usr/bin/sqlite3 /tmp/restore/confignew.s3db ".read '/etc/scripts/restore.sql" &> /dev/null.sleep 1.cp -rpf /tmp/restore/confignew.s3db /etc/allnetenv/config.s3db &> /dev/null.MODE=`/usr/bin/sqlite3 /etc/allnetenv/config.s3db "SELECT value FROM config WHERE tag = '/sys/network/lan/ipmode';"`.IP=$MODE.if [ ${MODE} = "static" ] ;then..IP=`/usr/bin/sqlite3 /etc/allnetenv/config

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\restore.sql Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	861
Entropy (8bit):	4.958839675676771
Encrypted:	false
SSDEEP:	24:e3HUuIUuOUuUUuTCSZZYMcIa7aQBAabIU1TMZC:Tu9uzuBu2SZZlc13BhPVM8
MD5:	C817542FBF74DE6CC7584CDE25905C3D
SHA1:	7DF8068967CC96640792CAE1B0B1EB449A618EF7
SHA-256:	1F9E67AA29BE017D2B15047F4D03253B30224C1E1B257CBC9D57D2AFDDD0DE08
SHA-512:	64EAF33EA92A1B45FFA9E8852D11EA56A814E5CD69AE348B177D8A04B78C9DC8BBB53CBA88BFF0A0368C17D04FA363925D20D762C341E1ABBEBC1B2ACB3BA267
Malicious:	false
Preview:	attach '/tmp/restore/restore.s3db' as merge;.DELETE FROM merge.config WHERE tag = '/sys/firmware/versionnum';.DELETE FROM merge.config WHERE tag = '/sys/firmware/version';.DELETE FROM merge.config WHERE tag = '/sys/firmware/date';.DELETE FROM merge.config WHERE tag = '/sys/firmware/datenum';.INSERT or REPLACE INTO sensors_logical select * from merge.sensors_logical;.INSERT or REPLACE INTO external select * from merge.external;.INSERT or REPLACE INTO mapping select * from merge.mapping;.INSERT or REPLACE INTO frontend select * from merge.frontend;.INSERT or REPLACE INTO timer select * from merge.timer;.INSERT or REPLACE INTO matrix select * from merge.matrix;.INSERT or REPLACE INTO config select * from merge.config;.INSERT or REPLACE INTO camera_upload select * from merge.camera_upload;.INSERT or REPLACE INTO users select * from merge.users;.vacuum;.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\restoreupd.sql Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	941
Entropy (8bit):	4.952896966058967
Encrypted:	false
SSDEEP:	24:DkNMP0kNMjIMYkNMz78kNMHOMkNokEcYtukEc4MkEcgZ7kEcTZ7kEcAnZ7kktuks:D6MM6MjIMY6Mz786MHXUo2Ytu2Z282J6
MD5:	CC50E82FDF83E79EC0AB3309EF9BE7B1
SHA1:	BB0D6198FEBC70173727DCC13AC1809820B977C6
SHA-256:	EA22499DB0B05EF46627EF2B89F7341C85CC5BF88FAD1E33E4BE29BD1DC74018
SHA-512:	0B54EBA7922D8981AAEE01D49D1D6921E2AE85D1224EABD6589D97CBA8FC6FE1D4CB7AED53C02F5E67D4B50870F0DAB842AC4DC0B3E9ED2CA5AE8054ACF11D71
Malicious:	false
Preview:	BEGIN TRANSACTION;.ALTER TABLE sensors_logical ADD COLUMN [actor_analogValue] text;.ALTER TABLE sensors_logical ADD COLUMN [digitalToText] text NOT NULL DEFAULT "0;;";.ALTER TABLE sensors_logical ADD COLUMN 'tileColors' TEXT NOT NULL DEFAULT '1E7EAC;900000;900000';.ALTER TABLE sensors_logical ADD COLUMN 'tileFormats' TEXT NOT NULL DEFAULT '55;';.ALTER TABLE external ADD COLUMN 'buildgroup' text NULL;.ALTER TABLE timer ADD COLUMN actor_type text NOT NULL DEFAULT 2;.ALTER TABLE timer ADD COLUMN actor_analogValue text;.ALTER TABLE timer ADD COLUMN matrixID TEXT;.ALTER TABLE timer ADD COLUMN matrixAction TEXT;.ALTER TABLE timer ADD COLUMN flowControlID TEXT;.ALTER TABLE matrix ADD COLUMN actor_type text NOT NULL DEFAULT 2;.ALTER TABLE matrix ADD COLUMN actor_analogValue text;.ALTER TABLE matrix ADD COLUMN flowControlID TEXT;.ALTER TABLE matrix ADD COLUMN validateValue TEXT;.ALTER TABLE matrix ADD COLUMN sortExecution TEXT;.COMMIT;.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\runscript.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.9701755214643457
Encrypted:	false
SSDEEP:	3:TKH4vWJPQpS:hgsS
MD5:	C2EC1AB7F442247B8A540173C883842A
SHA1:	C88DDE7AADEEF3641ED5343EE6B7D3F68F00A9DC
SHA-256:	10DE256A842F36FB36CE60FD19D75F1107D15148F3DA50FC3D35241498C2FEF2
SHA-512:	8E7A299F223FB66D2D8A651C724AE8CBE6BAE02E941CBC736FC7AD7167168C9EB471B50C132087117A325C037FE2C447F65CDBE943296126295604CAB094B0B3
Malicious:	false
Preview:	#!/bin/sh.sleep $1.$2 $3

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\setpass.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	65
Entropy (8bit):	4.242329531539919
Encrypted:	false
SSDEEP:	3:TKH4veA9FABjXHaYmFABjXHEiWrFHBUH:hmAABTaoBTEhe
MD5:	D6A3F76BDEDF51F9B3B328ABB1CBA172
SHA1:	14F574F4420465B29AA5596A561A0528778A9227
SHA-256:	31A0EAF3A52768FAF387A8272F266157FD513D6A9FFB5FCE95968555B4F2F366
SHA-512:	27834C387618D02B0DF4AA4D532DFF4DB1B6D2F147F84770A6560DD312BC15AF8C22C826EE1663554D715CCFB62441EA8088C5E1258DB3EB6911D8D29713A253
Malicious:	false
Preview:	#!/bin/sh.( sleep 2; echo "$2"; sleep 2; echo "$2") \| passwd "$1"

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\sqliterc Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.729725089502267
Encrypted:	false
SSDEEP:	3:OnSKvIKqKAv:OSKQKqKK
MD5:	BA8C98C02B372DA06206DD0EC11CE5EA
SHA1:	F0D5949870B0699F2B427DDBA8BAD397D0A9E08E
SHA-256:	CC235BB8390A643C609BB3EFFFD68E04E9A8049CFDD829AC4B5F18541A4AB8F4
SHA-512:	A1D5E75E85DD9D78487273B7CFAF96F5615A6C7B9829B23BF60163433E560D9BD53255A807A8E181D8954AFE43133EB894406496985FAC3653B894719925DEFF
Malicious:	false
Preview:	.timer on..headers on..mode line.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\startstop.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2379
Entropy (8bit):	5.145153703840673
Encrypted:	false
SSDEEP:	48:LBDL4dkKo3PH3zSXD/Hz0WI//dAm4w7Ro3MAm4wT4Boxnv69tw:LBDL4KPH3zSXDvz0WIHKmfmmBxnGe
MD5:	FAA431EEE71244E78D678DC9069441D1
SHA1:	4C12770A9D6F764BC885D6A8CE06C38175CD3A68
SHA-256:	2732CF511406599E175C8DB33C88D5059F75CD792D47C9DC2FB45B78950451B4
SHA-512:	C17BB9BD4B47DE308B0E1BED60478A8A0E8B36F0467E0960D3957F096ADCD71F89E7E8F896C78CDE1CF4EFD02043864BDD0FE318564FD6C81E8735CFA141BBC3
Malicious:	false
Preview:	#!/bin/sh.PLATFORM=`/etc/scripts/get /sys/platform`.PIDFILE="/var/run/".if [ ${PLATFORM} = "arm" ] \|\| [ ${PLATFORM} = "RT3352" ];then..PIDFILE="/tmp/".fi.DAEMON_PATH="/usr/sbin/allnet/".LOGFILE="/tmp/startdaemon.log".QUIET="--quiet".if [ "$3" = 1 ] ; then. QUIET="--verbose".fi.startd() {. /sbin/start-stop-daemon --start $QUIET --background --make-pidfile --pidfile "$PIDFILE$1.pid" --exec "$DAEMON_PATH$1" --test #> /dev/null. # /sbin/start-stop-daemon --start $QUIET --background --pidfile "$PIDFILE$1.pid" --exec "$DAEMON_PATH$1" --startas /bin/sh -- -c "root:root" >> $LOGFILE 2>&1 \. # \|\| return 2.}..stopd() {. /sbin/start-stop-daemon --stop --quiet --retry=TERM/1/KILL/5 --signal 5 --pidfile $PIDFILE$1.pid. RETVAL="$?". [ "$?" = 2 ] && return 2. /sbin/start-stop-daemon --stop --quiet --oknodo --retry=0/1/KILL/5 --signal 9 --exec $DAEMON_PATH$1. [ "$?" = 2 ] && return 2. RETVAL="$?". rm -rf $PIDFILE$1.pid. return $RETVAL.}..pidd() {. if [ -f "$PIDFILE$1.pid" ] ; then. .PID=`c

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\startupdate.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3802
Entropy (8bit):	5.164431526133882
Encrypted:	false
SSDEEP:	96:rKdjA+4lgL9Zf+Zgmp+M1S3T9H6jTHLqCtbD7MEEQFTh4Ec:mAu9Z7mpf4TYPhbD7XlC
MD5:	BDB7303FC7DBA6A28F7CFE61D64FCF56
SHA1:	C2E1F7F54D0B612832164FA8AD2D49C7A11BFA29
SHA-256:	1A4999A7E0D9E9BA48C8B10E1437C175C82CCE8D866C7CBBFFA91B70B05FD912
SHA-512:	67A4C55CA30FD24B7FCCC9765AE58733857D8BD1617BD3B00942B5742C03B8873E27772E7BE1EF0830A5C2F45A1C083DA450707CA124B74F2B801CB448CB84C7
Malicious:	false
Preview:	#!/bin/sh.export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt.HW=`/usr/sbin/allnet/sqldb_read /sys/hardware`.DIR="/tmp/update".DWLDDIR="https://update.allnet.de/files".PROCESS="/tmp/update.process".MINMEM=5000.URL="https://update.allnet.de/"..getfile() {.# ACHTUNG ZUM TESTE FALSCHE SERVER PFAD ANGEGEBEN!!!!!. if curl --tlsv1.2 --ssl-reqd --output /dev/null --silent --head --fail $DWLDDIR/$1. then. curl --tlsv1.2 --ssl-reqd --silent --output $DIR/update.zip --remote-name $DWLDDIR/$1. processinfo 1 $2. if [ ! -f $DIR/update.zip ] \|\| [ ! -s $DIR/update.zip ] ;then. echo "003# No file or filesize is 0" >> $PROCESS. processerror 1 $2. cleanprocess 3. # exit 3. fi. else. .echo "002# No file downloaded, file not exists" >> $PROCESS. processerror 1 $2. cleanprocess 2. # exit 2. fi.}..extract() {. #TEST=`unzip -o -q $DIR/update.zip -d $DIR/ >> $PROCESS 2>&1`. unzip -o -q $DIR/update.zip -d $DIR/ >> $PROCESS 2>&1. if [ $? -eq 0 ] ;then. proce

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\suninfo.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	a /usr/bin/php script, ASCII text executable
Category:	dropped
Size (bytes):	1804
Entropy (8bit):	5.329021711895984
Encrypted:	false
SSDEEP:	48:QtMhsc2EiEYxXeIP1p5x4ukx451Vx4+Cx4bAU5x4bAo4x41Hx4dmx4UNx4otGK5Y:KMhsc2TzXlPD94s9xyov88iRGGvjfRY
MD5:	EF1B7700A92BE8EB80835C355F4BF8E8
SHA1:	EC0464CEF8C2B706081933B91AFA24411BFD9154
SHA-256:	B9D289671E2857FD4C236CA90F88AF494A215CD91770E00188C48EA39B521B0B
SHA-512:	5C79E6E68A843BB9925C8DBD49FC7648B1D68E8E40D39F1D9337BB848DF6095492081D1BC27AB41B1DF801C773929EB0B4AAEBE028F9A3BC9AE2D97279A3671C
Malicious:	false
Preview:	#!/usr/bin/php.<?php.$db = new PDO('sqlite:/etc/allnetenv/config.s3db', '', '');.// $output ="day;date;sunrise;sunset;transit;civil_twilight_begin;civil_twilight_end;nautical_twilight_begin;nautical_twilight_end;astronomical_twilight_begin;astronomical_twilight_end\n";.$output=null;.if($argc==2) {..$id=$argv[1];..$stm="SELECT sunInfo FROM timer WHERE id='".$id."';";..$result = $db->query($stm)->fetchColumn(0);..$data=json_decode($result, true);..$north=$data['geoData']['city_lat'];..$west=$data['geoData']['city_lng'];..$today=date("Y-m-d");..$nextday=date('Y-m-d',strtotime($today . "+1 days"));..$suninfoTDY = date_sun_info(strtotime($today), $north, $west); // lat = Nord long = West..$suninfoNXD = date_sun_info(strtotime($nextday), $north, $west); // lat = Nord long = West..if($data['sunType']=="0" \|\| $data['sunType']=="") {...echo "99:99:99";..} else {...switch ($data['sunType']) {....case 1:.....$output=date("H:i:s",$suninfoTDY['sunrise']);.....break;....case 2:.....$output=date("H

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\test_connection.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1017
Entropy (8bit):	5.295832307389989
Encrypted:	false
SSDEEP:	24:o1cmKXvEiTSriuFg79M9Jd/0FLriuFfb4s4s4o8FEy:acnMJrv+iJ/0FLrvfb4s4tFT
MD5:	F1E89E500255CE1704DDA1DC453B962C
SHA1:	2BF26F54B63C6C60C8D3F91D0B437ADDA69D2BAD
SHA-256:	A839CB3B07903A5E8D5957A752EBBD507A56DE86E264F20590B22B71C1D5BC71
SHA-512:	303284377C740D4F8E4C6B556B5F6D8B433B79F100C1C4DB586A91813E73798C446CC188A92E972310AFFA7430316F321949F9B79A8B31A40EBE048F7D63F473
Malicious:	false
Preview:	#!/bin/sh./etc/scripts/test_gateway.sh.if [ "$?" = "0" ] ; then. HWID=`/usr/sbin/allnet/sqldb_read /sys/hardware/numeric_model`. printf "test connection (1 try google)\t\t". CONNECTION_A=`curl -s --connect-timeout 3 --max-time 5 --head http://www.google.de \| head -n1 \| sed 's/HTTP\/1\.[10]\ //' \| sed 's/\ OK//'`. if [ -n "$CONNECTION_A" ] && [ "$CONNECTION_A" -ge "200" ] && [ "$CONNECTION_A" -le "307" ] ; then..echo -e "[\033[1;32mOK\033[0m]"..exit 0. else. .echo -e "[\033[1;31mFAILED\033[0m]". printf "test connection (2 try allnet)\t\t"..CONNECTION_B=`curl -s --connect-timeout 3 --max-time 5 --head http://www.allnet.de \| head -n1 \| sed 's/HTTP\/1\.[10]\ //' \| sed 's/\ OK//'`..if [ -n "$CONNECTION_B" ] && [ "$CONNECTION_B" -ge "200" ] && [ "$CONNECTION_B" -le "307" ] ; then.. echo -e "[\033[1;32mOK\033[0m]".. exit 0..else.. if [ ${HWID} = "5000" ] ;then. /usr/sbin/allnet/lcd_write 0 "NO INTERNET CONNECTION". fi. echo -e "[\033[1;31mFAILED\033[0m]". exi

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\test_gateway.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	244
Entropy (8bit):	5.290912425156432
Encrypted:	false
SSDEEP:	6:hZWyqUGvVXamN3EMSMrccvghbIc5r5JU5y6vn:OyFY53gXSBi16vn
MD5:	060251C4C532BCAD5F8BA4E439BD7746
SHA1:	4C129AC167655112BB28DA031CBEF065A0D2D488
SHA-256:	42367624B56819A0F2795FBCBEBE7D41C1BEBFFD91FD75275945CEDBE28BA7A5
SHA-512:	89F3CA7D602066B6C17348CB8EB2AB870E5057B132730CA19CC911824AA442ED3206C8DC6B18D4B3590AFAB7DB0FE2C675FC144A60377D30CEEDDF43B749B57A
Malicious:	false
Preview:	#!/bin/sh.dgw=`route -n \| grep ^0.0.0.0 \| awk '{print $2}'`.printf "test default gateway ($dgw)\t".ping -c1 -W 1 $dgw &>/dev/null.if [ "$?" = "0" ].then.echo -e "[\033[1;32mOK\033[0m]".exit 0.else.echo -e "[\033[1;31mFAILED\033[0m]".exit 1.fi..

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\test_mail.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1953
Entropy (8bit):	4.80134829340931
Encrypted:	false
SSDEEP:	24:5EpOCvj+KuMQmKVKCtKIDKomKyQ7TLK+j1InwgHLKRdkWh5K+j1An5FBSLKRj:5EpvD+AC4HUTBj1ASdkqj1gHj
MD5:	77FD7AD962768482D844AC57D473389F
SHA1:	737BCB110AFAB963021A2237B8755158FEC933F0
SHA-256:	A43D01BAC22D14EF99B7E5E64457F933F4FAAA64C35AD91807163AAA54FA0038
SHA-512:	1C10D6CC641A9AE086ACF06F6AE53B27243EC8E367243ABCE78DFC764E417D7DC6A237FB976F1FE0F5EDB10E26DB6AB89D32B7BDE1D1ADF2D06B3F700903F116
Malicious:	false
Preview:	#!/bin/sh.if [ "$#" -ne 2 ]; then. echo "Usage: test_mail.sh demo@demo.com /tmp/mail.txt". exit 1.fi.############################# UPDATE CONFIG FILES chip, device.if [ -f "$2" ] ; then. CURL_LOG="/tmp/mail.log".FROM=`/usr/sbin/allnet/sqldb_read /sys/network/mail/sender`.SMTP=`/usr/sbin/allnet/sqldb_read /sys/network/mail/smtp`.PORT=`/usr/sbin/allnet/sqldb_read /sys/network/mail/smtpport`.USER=`/usr/sbin/allnet/sqldb_read /sys/network/mail/user`.PASS=`/usr/sbin/allnet/sqldb_read /sys/network/mail/pass`.STYP=`/usr/sbin/allnet/sqldb_read /sys/network/mail/smtpssl`.PROTO="smtp".[ ${STYP} -eq 0 ] && { PARAM=""; }.[ ${STYP} -eq 1 ] && { PARAM="--ssl";PROTO="smtps"; }.[ ${STYP} -eq 2 ] && { PARAM="--ssl --ssl-reqd"; }. echo "----------------------------------------------------------------------------------------------------". echo -e "USING PARAMETER:\n $PARAM --insecure --mail-from \"$FROM\" --mail-rcpt \"$1\" --url $PROTO://$SMTP:$PORT --u \"$USER:*****\" --upload-file $2 --anyaut

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\test_timeserver.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	a /usr/bin/php script, ASCII text executable
Category:	dropped
Size (bytes):	2575
Entropy (8bit):	5.278710236064136
Encrypted:	false
SSDEEP:	48:Or3DOb+JQIuEu9t8TMVl4z1zYeRqd4C2gW2H2uag2CwoBU7IOXYKxQ8Y5:Orqb+JatoMVly1zYeRqJKOXTpp8M
MD5:	6A16108189B905CCA614C7626DDF260B
SHA1:	3FE7D9AC8CB4834DF3035971A4E8513BDA71D2DD
SHA-256:	10B625426039ED3E56BE77FF181DAA601F32B44A367B5B7E12BE262A844CE343
SHA-512:	47C034F092C5A06B1E65B4508A6750126D1D3FCCFAA8FD1A8AD8C87679E8AB4C7C4D9B101CDDF9C2DE98D673C9699D6AE08C1273E0BCBCEA1C057728A183009A
Malicious:	false
Preview:	#!/usr/bin/php.<?php.$platform=exec("/etc/scripts/get /sys/platform");.$path="/etc/ntp.conf";.if($platform=="arm") {..$path="/etc/default/ntpd";.}.if(count($argv)==1) {..echo "\$Usage: /etc/scripts/test_time_server.sh\n";..echo " -s Set Date & Time\n";..echo " -o Print Response (JSON)\n";..exit();.}.$response=array("error"=>"false", "error_on"=>null, "server_count"=> null, "timestamp"=>null, "setdate"=>null, "datestr"=>null, "timezone"=> null, "timeserver"=>null);.function test_time_server($timeserver) {..error_reporting(0);..$sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);..socket_set_option($sock, SOL_SOCKET, SO_RCVTIMEO, array('sec' => 2, 'usec' => 0));..socket_set_option($sock, SOL_SOCKET, SO_SNDTIMEO, array('sec' => 2, 'usec' => 0));..$response['timeserver']=$timeserver;..$response['exit']=0;..if(socket_connect($sock, $timeserver, 123)) {...// Request - Connect Ok...$msg = "\010" . str_repeat("\0", 47);...if(socket_send($sock, $msg, strlen($msg), 0)) {....// Receive - Se

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\udhcpc.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1288
Entropy (8bit):	5.307689955814726
Encrypted:	false
SSDEEP:	24:GKqiKiRKFFgtMPA46yaEjZyyCFjxmPADIXgUblF8DkDH:Ha5DQJyH4y4txeLf88H
MD5:	6987B132FB65B057D7F2661ED604F3B3
SHA1:	7DA34DAC78A91D5F00E71A8557F8514D4EEAD7A9
SHA-256:	9DCCB18C6678BE8414749EB630F7A9048CD8DFD2404C526D91B09A170068E58C
SHA-512:	86BD31E5C07C3684ACA6054C246A4037B572A62ED9AF0D3E515572BC3884F66D77908D2BD7F255C6F752F5BA1959DC57CFD4A47CC7E6BC09671E56A1009FDAB7
Malicious:	false
Preview:	#!/bin/sh..IPMODE=`/usr/sbin/allnet/sqldb_read /sys/network/lan/ipmode`.HOSTNAME=`/usr/sbin/allnet/sqldb_read /sys/network/hostname`.LOCALDOMAIN=`/usr/sbin/allnet/sqldb_read /sys/network/localdomain`..case $1 in.. .start)....if [ "$IPMODE" = "dhcp" ] ; then....echo -e "\033[01;33m[udhcpc] -- Start udhcpc client\033[01;0m".#.../sbin/udhcpc -b -H $HOSTNAME -F $HOSTNAME -i br0 -p /tmp/udhcpc.pid > /tmp/dhcplease 2>&1..../sbin/udhcpc -b -H $HOSTNAME -F $HOSTNAME -i br0 -t3 -p /tmp/udhcpc.pid > /tmp/dhcplease 2>&1....if [ -f "/tmp/dhcphelperadd" ] ; then...../tmp/dhcphelperadd > /dev/null....fi....IP=`cat /tmp/dhcplease \| awk '/Lease of/{print $3}'`....LOCALDOMAIN=`cat /etc/resolv.conf \| awk '/search/{print $2}'`....echo -e "\033[01;33m[S20] -- Setting hostname -> \033[00;32m$HOSTNAME\033[00;0m" > /dev/console....echo "$IP.$HOSTNAME.$LOCALDOMAIN.$HOSTNAME" > /etc/hosts....echo "127.0.0.1.localhost.$LOCALDOMAIN.localhost" >> /etc/hosts..../bin/hostname $HOSTNAME.$LOCALDOMAIN...else if

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\udhcpd.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2622
Entropy (8bit):	5.365941264673914
Encrypted:	false
SSDEEP:	48:JmIL0Fxn8sj1UTIXnfaX9XFIe4blUNRqZMZAZ2ZneZ9xZSZnZVgZSZ8XZtZQZGZ0:Jm8yxnXj1UTIXnfaX9XFIe4pUnqZMZA2
MD5:	64C646DA82A4DDE24646C0E22C55AEE0
SHA1:	59C9C81DC286812C2C14FE73F7FCAA8800C6266F
SHA-256:	ABD45B4DF8BF22991FD319A396163F98498CB1BC0F549E6D0908CB7161BB6827
SHA-512:	DF4697872ACED710A78EDDD2CCE00028E853DF05CD6682565BCC1EDD3A4803B3B41A6D54179ACF5B0655CBDA6B2AD37715D6E726F57D73245927601F1E7DB2F3
Malicious:	false
Preview:	#!/bin/sh.#.# $Id: dhcp3-server.init.d,v 1.4 2003/07/13 19:12:41 mdz Exp $.#....# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?.# Separate multiple interfaces with spaces, e.g. "eth0 eth1"..#INTERFACES="br0"...# It is not safe to start if we don't have a default configuration....#echo "/etc/init.d/dhcp-server not yet configured! - Aborting...".#exit 1;.ENABLE=`/usr/sbin/allnet/sqldb_read /sys/network/udhcpd/enable`.IFACE=`/usr/sbin/allnet/sqldb_read./sys/network/udhcpd/iface`.LEASEFILE=`/usr/sbin/allnet/sqldb_read ./sys/network/udhcpd/leasefile`.PIDFILE=`/usr/sbin/allnet/sqldb_read ./sys/network/udhcpd/pidfile`.AUTOTIME=`/usr/sbin/allnet/sqldb_read ./sys/network/udhcpd/autotime`.DOMAIN=`/usr/sbin/allnet/sqldb_read ./sys/network/udhcpd/domain`.ROUTER=`/usr/sbin/allnet/sqldb_read ./sys/network/udhcpd/router`.STARTIP=`/usr/sbin/allnet/sqldb_read ./sys/network/udhcpd/startip`.STOPIP=`/usr/sbin/allnet/sqldb_read ./sys/network/udhcpd/stopip`.SUBNET=`/usr/sbin/a

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\umtsdial.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	517
Entropy (8bit):	4.680197298016819
Encrypted:	false
SSDEEP:	12:WNPUhuuaJlNiKGBNuB6d2NuB6lq1kaYFhOlKNTl9:WKlaJ3iKs4a24R2QM
MD5:	F32023F7A205F68A7A5F76C097114E48
SHA1:	A4C5626007D16F4DAD90D3ACF5CADDAB599EC48A
SHA-256:	AFCA6AE42FD934BECC16E523ACA011CF034DE9B4336C194C3A0EA6A19896133D
SHA-512:	B73E5EDD45D249DE5A43AE24AB087CD345D690404288465A30771F7A1F959A3A9633AFABA079456B5F93B68585A31D7291AFD53E4CD0D7CE09BDA5F1B829E900
Malicious:	false
Preview:	#!/bin/sh..GW=`/usr/sbin/allnet/sqldb_read /sys/network/lan/gateway`..case $1 in.. .start)..echo "dialing umts network....."..route del default../usr/sbin/pppd call 3gdial../usr/sbin/allnet/lcd_write 0 `hostname`../usr/sbin/allnet/lcd_write 1 `ifconfig ppp0 \| grep "inet addr:" \| cut -f1 -dB \| cut -f2 -d:`. ;;.. stop)...killall -9 pppd..route add -net 0.0.0.0 netmask 0.0.0.0 gw ${GW}.. ;;.. restart). $0 stop. sleep 3. $0 start. ;;.. *). $0 restart. ;;.esac...

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\wlan.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	545
Entropy (8bit):	4.714224024214437
Encrypted:	false
SSDEEP:	12:hqLYeKmwsaElASSJ1E1A/t0wW8allKN2RBl9:gLHHtdAS+EOteXH
MD5:	A3F4714CE3A973D751B7BC75B62E367D
SHA1:	0D20CA70932A0A5F9F9D7925759FAE5535144ECC
SHA-256:	3635C617A3C98AA41C1293EF56884D1BC6DDE8BFB6EC62E28948B4AE8A7F1243
SHA-512:	43CE4B8BBC11C3C4517E5604C02153495ECF24ED92F468BD63B5ABCAC3CDF4548AFA8B37695F16C55EF16B5DD73EAA1162561750405518864AB816BB20FC1D25
Malicious:	false
Preview:	#!/bin/sh..case $1 in.. .start)..echo -e "\033[01;33m[wlan] -- Start wireless in ${WLAN_MODE} mode\033[01;0m"..ifconfig ra0 0.0.0.0 up..brctl addif br0 ra0..MACBR=`/sbin/ifconfig \| grep 'ra0' \| tr -s ' ' \| cut -d ' ' -f 5`. /sbin/ifconfig br0 hw eth ${MACBR}. /etc/scripts/reconfigure_wlan.sh.> /dev/console.. ;;.. stop)...#ifconfig br0 down..ifconfig ra0 down..brctl delif br0 ra0... ;;.. restart). $0 stop.# sleep 1 second. sleep 1. $0 start. ;;.. *). $0 restart. ;;.esac.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\scripts\wlan_arm.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	6534
Entropy (8bit):	5.348028470273635
Encrypted:	false
SSDEEP:	192:kt/FDltAF01bYUFG1ly+F/ChpQequ6IYZkHqu6InZkGru6IYZk/ru6InZk9zo0P8:kt5ltAF01bYUFGHy+F/ChpQeqNIYWHqc
MD5:	49B86D628D89701E30C43A1D3B2B450D
SHA1:	C2C5808CEA493B1B734231BC3C18AB47097FA7CF
SHA-256:	0F44163D7CA672802F30E8E7C38994B95EF5F17E4B6319C8E008AF87CA305FD1
SHA-512:	689072A518A6BD89AB493BEBAEBFE8548BF6B746AED9D6FCF4E980986506214C6C1B4B767101129224D1400D96CDBC3DD23F6D5883DEF4095B4207D9BE9BB917
Malicious:	false
Preview:	#!/bin/sh..WLAN_MODE=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/mode`..WLAN_AUTHMODE_AP=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/ap/authmode`.CHANNEL_AP=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/ap/channel`.ENCKEY_AP=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/ap/enckey`.SSID_AP=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/ap/ssid`..WLAN_AUTHMODE_STA=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/sta/authmode`.CHANNEL_STA=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/sta/channel`.ENCKEY_STA=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/sta/enckey`.SSID_STA=`/usr/sbin/allnet/sqldb_read /sys/network/wlan/sta/ssid`..if [ ${WLAN_MODE} = "disabled" ] ;then..ifconfig wlan0 up..fi..case "$1" in..start)...if [ ${WLAN_MODE} = "ap" ] ;then. ...echo -e "\033[01;33m[wlan] -- Start wireless in ${WLAN_MODE} mode\033[01;0m". ..ifconfig wlan0 0.0.0.0 up. .test -f /usr/sbin/hostapd \|\| exit 0. .MACBR=`/sbin/ifconfig \| grep 'wlan0' \| tr -

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\shadow Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	371
Entropy (8bit):	3.829313510683769
Encrypted:	false
SSDEEP:	6:fHukc63mEcW4ltc63S45W4ltc63G4ltc63Y4ltc639x4ltc63qQHW4ltc632J5nX:fHukA1hto45htrt1tWtEQHhtMJ5btktc
MD5:	D36FC78CE50CEA0D378B8DADF5DCF2B7
SHA1:	50C3A6E56247FE98DE7E6C13F66F70DDCD111A2C
SHA-256:	474E3B655B55FFAFA59039E131F634814BD01F4B03553AC4F43B93B7E2D8684D
SHA-512:	477DC407777AD6FCC062F86629BFCF297A63CEE4424A5990AC30D092816902112870B879E0090ED29A86D1B509B3C5512E31E6834D9EB0560187D0E8969C84AD
Malicious:	false
Preview:	root:ruGUiVbAPJ2nQ:16223:0:99999:7:::.bin::10933:0:99999:7:::.daemon::10933:0:99999:7:::.adm::10933:0:99999:7:::.lp::10933:0:99999:7:::.sync::10933:0:99999:7:::.shutdown::10933:0:99999:7:::.halt::10933:0:99999:7:::.uucp::10933:0:99999:7:::.operator::10933:0:99999:7:::.ftp:J6L6ovIjro0/I:16223:0:99999:7:::.nobody::10933:0:99999:7:::.default::10933:0:99999:7:::.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\ssl\certs\ca-certificates.crt Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	261921
Entropy (8bit):	6.003495140026641
Encrypted:	false
SSDEEP:	6144:/Ny5WXkqx9NGUqd9Eo7kiNR6ntcm+d4tLKb0wbTDdT2:/NyALYBd76tI4tLC0wbTp2
MD5:	D98D2BB479D837E60A3D3C5071D8D482
SHA1:	F749F6F4D7A85CF6BAC736DF6673654593C922B7
SHA-256:	CC08915AA0D60881B8F48D5C347D51C5091965D2C013D9B011E0D8122CAB4FBE
SHA-512:	917760629388C56D4DD3B1755ACA7B1BD8435E3EA20249BC63773F25118E59BE4D01A7E63B3155D10E3B6CBC12CFD5D1A75070A652AB632E58AA7E2B16C7F2DF
Malicious:	false
Preview:	##.## Bundle of CA Root Certificates.##.## Certificate data from Mozilla as of: Wed Jan 18 04:12:05 2017 GMT.##.## This is a bundle of X.509 certificates of public Certificate Authorities.## (CA). These were automatically extracted from Mozilla's root certificates.## file (certdata.txt). This file can be found in the mozilla source tree:.## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt.##.## It contains the certificates in PEM format and therefore.## can be directly used with curl / libcurl / php_curl, or with.## an Apache+mod_ssl webserver for SSL client authentication..## Just configure this file as the SSLCACertificateFile..##.## Conversion done with mk-ca-bundle.pl version 1.27..## SHA256: dffa79e6aa993f558e82884abf7bb54bf440ab66ee91d82a27a627f6f2a4ace4.##...GlobalSign Root CA.==================.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx.GTAXBgNVBAoTEEdsb2Jh

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\ssl\misc\CA.pl Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	Perl script text executable
Category:	dropped
Size (bytes):	5679
Entropy (8bit):	5.315617831218575
Encrypted:	false
SSDEEP:	96:Q4Ssk299ohQ2ljKumEt0PG0XP0XHAs1fCnVnWc1uvC008y0qbVx0xE09dlhqpzEl:g2ToJl9JtBOKT1fYRZua0EFbVxqE6lgm
MD5:	9909F53BAAB25B734795232346823D2F
SHA1:	8DF1FB57B69AD653EAB06442212639298A00A988
SHA-256:	5F6CA05AC40FA2AD32818BE7B073171AFFEE2D4DE870C6D499B4934EA4383A59
SHA-512:	4C5B7A2BE20877AAA72040444FCDDFDEC1086933CE1D6123CF4DFC8A75420061B48E07909F22186437CB47A50291AD4D45A07AFE1455C59CED644C9E39E04B7C
Malicious:	false
Preview:	#!/usr/bin/perl.#.# CA - wrapper around ca to make it easier to use ... basically ca requires.# some setup stuff to be done before you can use it and this makes.# things easier between now and when Eric is convinced to fix it :-).#.# CA -newca ... will setup the right stuff.# CA -newreq[-nodes] ... will generate a certificate request .# CA -sign ... will sign the generated request and output .#.# At the end of that grab newreq.pem and newcert.pem (one has the key .# and the other the certificate) and cat them together and that is what.# you want/need ... I'll make even this a little cleaner later..#.#.# 12-Jan-96 tjh Added more things ... including CA -signcert which.# converts a certificate to a request and then signs it..# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG.#.. environment variable so this can be driven from.#.. a script..# 25-Jul-96 eay Cleaned up filenames some more..# 11-Jun-96 eay Fixed a few filename missmat

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\ssl\misc\CA.sh Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	5175
Entropy (8bit):	5.131915190918098
Encrypted:	false
SSDEEP:	96:N4mTH29bB2aylD2FDO0ge+Rdnzf6UATRXaXa2xzv4UUB8Hl1vspFrR1IdfNpQVH:pH2RQaw2xONe+3ziU04K2Zk8Hl1vsHRP
MD5:	948439FD3F17DC7D9511305AA1F1355A
SHA1:	5549C358473A0ED23A335360BEFC29D1B03492EA
SHA-256:	E3498565C807F32574F11B10A29AFA7462FB556B09DE77D9BD631EC24B6EBBA8
SHA-512:	5027860D83C35DC454034B9B394BA6B72DD5DAFB6B287289AFAF28F3FA2DF07EFED92D009B5D8EED3794A13334897F45596516D3978687331D34A9892D7706F1
Malicious:	false
Preview:	#!/bin/sh.#.# CA - wrapper around ca to make it easier to use ... basically ca requires.# some setup stuff to be done before you can use it and this makes.# things easier between now and when Eric is convinced to fix it :-).#.# CA -newca ... will setup the right stuff.# CA -newreq ... will generate a certificate request.# CA -sign ... will sign the generated request and output.#.# At the end of that grab newreq.pem and newcert.pem (one has the key.# and the other the certificate) and cat them together and that is what.# you want/need ... I'll make even this a little cleaner later..#.#.# 12-Jan-96 tjh Added more things ... including CA -signcert which.# converts a certificate to a request and then signs it..# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG.# environment variable so this can be driven from.# a script..# 25-Jul-96 eay Cleaned up filenames some more..# 11-Jun-96 eay Fixed a few filenam

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\ssl\misc\c_hash Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	119
Entropy (8bit):	4.60920891689247
Encrypted:	false
SSDEEP:	3:TKH4vSVXKFf8bgQACv4vQFEePZV2vnQVxFtlFNIVhrBNL35F:heXefqVACvi7C2vnMlFUP35F
MD5:	11612E0BAC6E19E1BB35D038E691B72C
SHA1:	DEBB1D58B936BE53E4DE00FCCA51453964A2E7CB
SHA-256:	AD7354E44D8B30FBF151691DFF0032D3D4C9AA622B264CCF5760D6495EEEAAA4
SHA-512:	D7A80AD956812B90237B0E0D1BC2D95A7C676AE2C6822FCC45CE7DA90C3C762856EC866860E8422BF0EA88A6CD70E0856A29A61A66F613A91CF36703CB8228F6
Malicious:	false
Preview:	#!/bin/sh.# print out the hash values .#..for i in $*.do..h=`openssl x509 -hash -noout -in $i`..echo "$h.0 => $i".done.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\ssl\misc\c_info Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	152
Entropy (8bit):	4.548403102077728
Encrypted:	false
SSDEEP:	3:TKH4vT6Fn8NFEePZV2nQV97VVjKQRFNIVhrBMPQNK9BLHP9I1ob:hanBC2nC7jlFU64allI1i
MD5:	45BBF2E1F1A5A2FF772AC81ECAB10729
SHA1:	1A667FC7A808530F5C71FB69171EC2443FF29125
SHA-256:	82117236E134A04BF3D1CDAEC8B8E3D2FEF69E1BADB4335E3FC948166AC77A8D
SHA-512:	C3698AA1137E1078D3DC20E1A22C0B08CFBE81ABF38B2243F8F93EDB4C50861352DE429B3B62F01DDE56B3C8FB093D42132AE041D8231D329008C87BFCCE6C8A
Malicious:	false
Preview:	#!/bin/sh.#.# print the subject.#..for i in $*.do..n=`openssl x509 -subject -issuer -enddate -noout -in $i`..echo "$i"..echo "$n"..echo "--------".done.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\ssl\misc\c_issuer Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	112
Entropy (8bit):	4.469769482094298
Encrypted:	false
SSDEEP:	3:TKH4vT6Ff9WX8iQFEePZV2nQVeVTFNIVhrBMs5v:haf9W37C2nLFU6s5v
MD5:	7A5EC6CC06CA0D45332FEB59A9AAAF1A
SHA1:	0CC791B7DC5957BF43B4CFCB5E689DEA8D83B1AE
SHA-256:	EDF51769D41AD6ACE7E5D885AED7A22C5D5ABAFBE8EE26E94BD2850492C1D727
SHA-512:	1C8C4F45838680515618642A8C811DFA1B3791E2C630E739862878A3320BBA54AB280F63F0A38E7C7D13F4CB9269F3EC4E4F6EEB313ADB790635D847E8CD47B5
Malicious:	false
Preview:	#!/bin/sh.#.# print out the issuer.#..for i in $*.do..n=`openssl x509 -issuer -noout -in $i`..echo "$i.$n".done.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\ssl\misc\c_name Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	110
Entropy (8bit):	4.587455114929241
Encrypted:	false
SSDEEP:	3:TKH4vT6Fn8NFEePZV2nQV9lKEFNIVhrBMs5v:hanBC2nCQEFU6s5v
MD5:	E6828944A8B442B7A040405FBE3F9A1F
SHA1:	76ADFC186FF506274FA80660079DACA8E52BB0BC
SHA-256:	9F6B9E3FFB35358503BBDB87D11D7F7E051A22A001978B45419C06DF008608DE
SHA-512:	E111BA186512D20C6E3BD5163A7213708E2FDD73D93C4E5529CAFFCE74CF72FD0BAFFF200EF933F1FD4CE92E0F103BEEDB2A7FCBB85614B83CD40BA446CFE259
Malicious:	false
Preview:	#!/bin/sh.#.# print the subject.#..for i in $*.do..n=`openssl x509 -subject -noout -in $i`..echo "$i.$n".done.

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\ssl\misc\tsget Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	Perl script text executable
Category:	dropped
Size (bytes):	6419
Entropy (8bit):	5.3228061418295995
Encrypted:	false
SSDEEP:	96:aQCouJPt+2Qtanc/Z3dbpmNajCC23E2iwJSxzoiQLQvN5leXtv4G8bvtLI/x:aQ8Pt+2QAc3b3/22zoiQEXl8v4GCIJ
MD5:	9EBE114DE208F59F38826D70AEAA9122
SHA1:	DB05155818B1827F3E7133AC67326D87CB7DDD2E
SHA-256:	EEB39D9E6C27F76B654D0C8EDA2F534BFB40FF34175CB351A71B2FFE29B66937
SHA-512:	E852388FB5DE7BDA0BFD52DCE13077331D85FD9D8476AD3EFE44FFA7B6BB63D6B6ACEA79EA7D725A6264C2E12663806B87BE0576CB6A9E2949BF374F86CC5555
Malicious:	false
Preview:	#!/usr/bin/perl -w.# Written by Zoltan Glozik <zglozik@stones.com>..# Copyright (c) 2002 The OpenTSA Project. All rights reserved..$::version = '$Id: tsget,v 1.1.2.2 2009/09/07 17:57:02 steve Exp $';..use strict;.use IO::Handle;.use Getopt::Std;.use File::Basename;.use WWW::Curl::Easy;..use vars qw(%options);..# Callback for reading the body..sub read_body {. my ($maxlength, $state) = @_;. my $return_data = "";. my $data_len = length ${$state->{data}};. if ($state->{bytes} < $data_len) {..$data_len = $data_len - $state->{bytes};..$data_len = $maxlength if $data_len > $maxlength;..$return_data = substr ${$state->{data}}, $state->{bytes}, $data_len;..$state->{bytes} += $data_len;. }. return $return_data;.}..# Callback for writing the body into a variable..sub write_body {. my ($data, $pointer) = @_;. ${$pointer} .= $data;. return length($data);.}..# Initialise a new Curl object..sub create_curl {. my $url = shift;.. # Create Curl object.. my $curl = W

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\ssl\openssl.cnf Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	10819
Entropy (8bit):	5.005696671009127
Encrypted:	false
SSDEEP:	192:L8b9fYZNtKMpr/kWJGXgvr/YHKLJA+smghNuFo8fA+smgaHMLlEpFGzmB2jl:LChUpr/kCGwvr/YHYg77es/L
MD5:	3F0EE810B7A5E7CC8C862EFEA1DD77EE
SHA1:	C7C90B2A1C247D4531321D06B51FAEFCDEA479C3
SHA-256:	CFE6094182FFEDE14C8A1A64A671511D6F1C88A7AA42881A493CD6A51ECEC8DC
SHA-512:	BF46FC8BC3BC50703D649CBE1B6AE226510266067FA092AE8300C60B53E254B1F9F25D3F633B6A59347AC76E9EAF5D5F6592C66FC5144E69E20B03E295CBD24D
Malicious:	false
Preview:	#.# OpenSSL example configuration file..# This is mostly being used for generation of certificate requests..#..# This definition stops the following lines choking if HOME isn't.# defined..HOME...= ..RANDFILE..= $ENV::HOME/.rnd..# Extra OBJECT IDENTIFIER info:.#oid_file..= $ENV::HOME/.oid.oid_section..= new_oids..# To use this configuration file with the "-extfile" option of the.# "openssl x509" utility, name here the section containing the.# X.509v3 extensions to use:.# extensions..= .# (Alternatively, use a configuration file that has only.# X.509v3 extensions in its main [= default] section.)..[ new_oids ]..# We can add new OIDs in here for use by 'ca', 'req' and 'ts'..# Add a simple OID like this:.# testoid1=1.2.3.4.# Or use config file substitution like this:.# testoid2=${testoid1}.5.6..# Policies used by the TSA examples..tsa_policy1 = 1.2.3.4.1.tsa_policy2 = 1.2.3.4.5.6.tsa_policy3 = 1.2.3.4.5.7..####################################################################.[ ca ].default_

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\etc\support Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.839775539645511
Encrypted:	false
SSDEEP:	3:B5V/1Su/YDkn:fV9vQDk
MD5:	9CD25574A08EB18CA71153209973A792
SHA1:	B6CFAA54A3DF30DA24B95A5BFEED0712A71E8829
SHA-256:	F9AC71007071AF30452A2B614BB8E99F3D0155ACAD62A9E1C77111D62C7A1336
SHA-512:	889CFA6FC23D799FE03FAAC09DAB2E2988EFB13AE6F25F051EC8B178037BD2692570BAAF7767D846F5C4B1FAE84876C414CCEA363812D8238892374A2B63EF6F
Malicious:	false
Preview:	root:{SHA}+uCXKwbaKKgn/vae5Yfg33D0j1g=

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\usr\bin\curl Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
Category:	dropped
Size (bytes):	119628
Entropy (8bit):	5.640329159260421
Encrypted:	false
SSDEEP:	1536:FY+nbU1U0KejppRbquurQkQsfLqSvNmFsiq9cgNgB4+c:FYWbYlrppXeQkQsrNmFjq9fma
MD5:	4497C019881B525615A344122BA5D401
SHA1:	E7B90AE6B37AC9CE69CBC3446DADF8E30B93FDB8
SHA-256:	FB9CB517B5322194D0AC55602B6D931AFB25CFD7F7D70FEB48793A1156EACF31
SHA-512:	34B8424A3D313C2645A4CA2A2089AED36085DD82E76E2A5895692F174291904EC2DF9358C38025885006C5E6CFA042702C3ACAF160F6358A1C48BCA18F59D7A7
Malicious:	false
Preview:	.ELF.....................#@.4..........p4. ...(.........4...4.@.4.@.....................4...4.@.4.@....................pH...H.@.H.@...........................@...@.......................B..B.\...,...............`...`.@.`.@.................Q.td............................................................/lib/ld-uClibc.so.0......................8C.....).......g.......................(.......0#@.....@?A.....X.@.......@.......@....................p..B...............B....p.......p.......p..@....pv......p.......p%......py......o.#@....o.......oT!@.........................................................r...-...t...........U..._...#.......D.......C.......\.................../.......c...e...`...........................}...............................H...............<...p...........=...............1...z.......................V...S...[.......n...........................]...Z...........)...g.......j...N...6...........................E...................k...u...........m...Q...................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\usr\bin\openssl Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
Category:	dropped
Size (bytes):	543944
Entropy (8bit):	5.654771479745123
Encrypted:	false
SSDEEP:	6144:kgcPWx28anX0eWRkdaXPieDEO4kjGc4nI0T2vAQoAtkMKxWsDNQxDVReSixtEfZ/:r2XIq2OMzwhu
MD5:	8E8E4E7F353EF4F5611BBE6A8C61B357
SHA1:	4B733A223BF6758731DAAFCA01C891AAA8255F2E
SHA-256:	28C0C089661E0A879BC9B9288A37AA6726DE3A991CBFDA6A45172ABC5B38A779
SHA-512:	D1B08C075D376311F428A2902BC300A74D2A2BA36630BB25776CA77761F62CEACAE63CE72DCDBAB112C6CE175567ED6CEB09ACAB9DEB1641AC632A931A014F2E
Malicious:	false
Preview:	.ELF......................@.4...@H.....p4. ...(.........4...4.@.4.@.....................4...4.@.4.@....................pH...H.@.H.@...........................@...@.4...4.....................H...H.`8...I..............`...`.@.`.@.................Q.td............................................................/lib/ld-uClibc.so.0.....................0.I......P......"Q......5Q.......Q.......Q.......Q......\|.@.......F.....`.@......q@......%@......Q.............p0.I.............@.I....p.......p.......p..@....p.......p.......p&......p.......o\.@....o.......o..@.........................................................................R.......<...............Z...............................................$...U...........-...........x...............+...............b...............}...X...........W...........................\|.......o..."..................._...........u...............................b...........................T...........<...........................................f.......q.......

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\usr\bin\php-cgi Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, with debug_info, not stripped
Category:	dropped
Size (bytes):	6069202
Entropy (8bit):	5.998134841021303
Encrypted:	false
SSDEEP:	98304:MybZUDFISK+ZW8eXJOM5xOkCJAumkFH8rbNURTp15XemmJFfb78SmVaJjhs8:MydM+AFH8rbNUR35XemmJFfb78SmVaJN
MD5:	3E7B39CF6FFC23D737981EB80DA3FA9A
SHA1:	7245E1371F4908BBF19F4381A0FA656698C240F2
SHA-256:	45F6DF899B807EF70397F7CF61DEAB74D57353422DD1E00801B4BE239F9E1829
SHA-512:	E70D98D2F3A8EAF7532960C168ABF6E9907068AF50001007D9566F61A9012F2FD2D001BE67E8C1456CE49F2616C443998BFB8F4A2081AD0A556E4E2FA2242D3F
Malicious:	false
Preview:	.ELF....................P_B.4...luT....p4. ...(.*.'.....4...4.@.4.@. ... ...............T...T.@.T.@....................ph...h.@.h.@...........................@...@.T%J.T%J.............T%J.T%..T%......'....................@...@.h...h...........P.td.$J..$...$..,...,...........Q.td............................................................/lib/ld-uClibc.so.0.....................................:.......E.......O.......Z.......j.......z...........................................................................<.B.....@.m.......@.......A......R@.....L..............p......................,.B....................p.......p.......p..@....pL......p.......p'......pa......o,.B....o.......o\.A.....................................................................................................5...................".......o.......................................................................................................z...................A...........1...............y.......................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\usr\lib\libcrypto.so Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ELF 32-bit LSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, stripped
Category:	dropped
Size (bytes):	1841080
Entropy (8bit):	5.65569737720376
Encrypted:	false
SSDEEP:	24576:NUsrWolzXuVfCScF87MqNUP4/7bs3bK2CjvCC304Wku6i31BGvotPA:9TNHFss3JbGwtP
MD5:	5E5A7F8664D929F05E32E911ED9D1F94
SHA1:	55E92684438DE63474E389D5FE2C1B4EEA263AC3
SHA-256:	3CB1CB0D4F938E9081AC444E88A4239FE89A24320BE1F1BAE9CEEE42A71F1FA9
SHA-512:	2E5F56E127C1A018CA226436B95D10FBBBE327F6C58660BB9D109C49AEF95B8F816CAD10B9E8E8287037D71D3EBFFF8D92482FE3644D3A7EE1A6F9D6E3550C16
Malicious:	false
Preview:	.ELF........................4...0......p4. ...(........p............................................,{..,{...........................R...y..............,...,...,...................P.td.{...{...{..................Q.td.................................................................................,.......(.......(.......(.......(..............p.......p.......,.......<_.......a.......(.............................h..............p.......p.......p.......p.......p.......p&......pr......o......o.......o&...................................................................................=...G.......-.......................[.......n...A...P...........{.......Y...S.......r...^...........................................................................................d.......................C.......c...G...F...1...................................(...H.......:...y.......B...U...............N.......T...........l...........7...............~...........$...=...4....... ...........O...w...............

C:\Users\user\AppData\Local\Temp\IXP000.TMP\patchfiles\usr\lib\libcrypto.so.1.0.0 Download File
Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
File Type:	ELF 32-bit LSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, stripped
Category:	dropped
Size (bytes):	1841080
Entropy (8bit):	5.65569737720376
Encrypted:	false
SSDEEP:	24576:NUsrWolzXuVfCScF87MqNUP4/7bs3bK2CjvCC304Wku6i31BGvotPA:9TNHFss3JbGwtP
MD5:	5E5A7F8664D929F05E32E911ED9D1F94
SHA1:	55E92684438DE63474E389D5FE2C1B4EEA263AC3
SHA-256:	3CB1CB0D4F938E9081AC444E88A4239FE89A24320BE1F1BAE9CEEE42A71F1FA9
SHA-512:	2E5F56E127C1A018CA226436B95D10FBBBE327F6C58660BB9D109C49AEF95B8F816CAD10B9E8E8287037D71D3EBFFF8D92482FE3644D3A7EE1A6F9D6E3550C16
Malicious:	false
Preview:	.ELF........................4...0......p4. ...(........p............................................,{..,{...........................R...y..............,...,...,...................P.td.{...{...{..................Q.td.................................................................................,.......(.......(.......(.......(..............p.......p.......,.......<_.......a.......(.............................h..............p.......p.......p.......p.......p.......p&......pr......o......o.......o&...................................................................................=...G.......-.......................[.......n...A...P...........{.......Y...S.......r...^...........................................................................................d.......................C.......c...G...F...1...................................(...H.......:...y.......B...U...............N.......T...........l...........7...............~...........$...=...4....... ...........O...w...............

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.995587254677891
TrID:	Win64 Executable GUI (202006/5) 77.37% InstallShield setup (43055/19) 16.49% Win64 Executable (generic) (12005/4) 4.60% Generic Win/DOS Executable (2004/3) 0.77% DOS Executable Generic (2002/1) 0.77%
File name:	$RDPLVFM.exe
File size:	7715840
MD5:	9cbcd1d8dae34cd6cc49460103e521c4
SHA1:	b07e7b15752e1e25dd1e9fd480cacd5f3a79c5de
SHA256:	a9497a467b5846d60f2c12a3fd03c4fce70e38a7237a916d93ee440048b9c59b
SHA512:	027ae3369b39511ea05c183d1e352a82faeb5d6fd1bea5e0279b18b74398c2f7459b065e98d70efea1aa08818f1e6bec1fee668ea2de1f779f66acd8eebb98d5
SSDEEP:	196608:XbQIxzZhXClfy4OD+c4xy8WjNTjLtMRg4EFTWZ1izOA0JlpJrLQw5:LQIxSlfmD+txyhNTHD4k61OwrLQ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.k.............0.......0.......0.......0...............0.......0.......0.......Rich............PE..d................."......t.

File Icon


Icon Hash:	f8e0e4e8ecccc870

Static PE Info

General
Entrypoint:	0x1400079d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0xE68AAE13 [Fri Jul 25 18:16:51 2092 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	f26f5bea701561745dea20a33c88cd5f

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F6A988B0A9Ch
dec eax
add esp, 28h
jmp 00007F6A988B0387h
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], edi
inc ecx
push esi
dec eax
sub esp, 000000B0h
and dword ptr [esp+20h], 00000000h
dec eax
lea ecx, dword ptr [esp+40h]
call dword ptr [000019E1h]
nop
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ebx, dword ptr [eax+08h]
xor edi, edi
xor eax, eax
dec eax
cmpxchg dword ptr [00005156h], ebx
je 00007F6A988B039Bh
dec eax
cmp eax, ebx
jne 00007F6A988B0389h
mov edi, 00000001h
jmp 00007F6A988B038Fh
mov ecx, 000003E8h
call dword ptr [000019A5h]
jmp 00007F6A988B035Ch
mov eax, dword ptr [0000513Dh]
cmp eax, 01h
jne 00007F6A988B038Ch
lea ecx, dword ptr [eax+1Eh]
call 00007F6A988B093Fh
jmp 00007F6A988B03EFh
mov eax, dword ptr [00005128h]
test eax, eax
jne 00007F6A988B03DBh
mov dword ptr [0000511Ah], 00000001h
dec esp
lea esi, dword ptr [00001C0Bh]
dec eax
lea ebx, dword ptr [00001BECh]
dec eax
mov dword ptr [esp+30h], ebx
mov dword ptr [esp+24h], eax
dec ecx
cmp ebx, esi
jnc 00007F6A988B03A7h
test eax, eax
jne 00007F6A988B03A7h
dec eax
cmp dword ptr [ebx], 00000000h
je 00007F6A988B0392h
dec eax
mov eax, dword ptr [ebx]
dec eax
mov ecx, dword ptr [00001B9Ah]
call ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa248	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0x75130c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe000	0x438	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x761000	0x28	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9a00	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9010	0xf4	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9108	0x520	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7380	0x7400	False	0.588025323276	zlib compressed data	6.24222952027	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x22d8	0x2400	False	0.415364583333	data	4.73080854057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x1e80	0x400	False	0.3212890625	data	3.18897698451	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xe000	0x438	0x600	False	0.402994791667	data	3.29504233607	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xf000	0x752000	0x751400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x761000	0x28	0x200	False	0.10546875	data	0.564179270361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AVI	0xfa10	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States
RT_ICON	0x1282c	0x668	data	English	United States
RT_ICON	0x12e94	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2291109880, next used block 28872	English	United States
RT_ICON	0x1317c	0x1e8	data	English	United States
RT_ICON	0x13364	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x1348c	0xea8	data	English	United States
RT_ICON	0x14334	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15066613, next used block 15000828	English	United States
RT_ICON	0x14bdc	0x6c8	data	English	United States
RT_ICON	0x152a4	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x1580c	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x231e0	0x25a8	data	English	United States
RT_ICON	0x25788	0x10a8	data	English	United States
RT_ICON	0x26830	0x988	data	English	United States
RT_ICON	0x271b8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x27620	0x352	data	German	Germany
RT_DIALOG	0x27974	0x1ee	data	German	Germany
RT_DIALOG	0x27b64	0x17e	data	German	Germany
RT_DIALOG	0x27ce4	0x1e0	data	German	Germany
RT_DIALOG	0x27ec4	0x150	data	German	Germany
RT_DIALOG	0x28014	0x136	data	German	Germany
RT_STRING	0x2814c	0xd0	data	German	Germany
RT_STRING	0x2821c	0x6d2	data	German	Germany
RT_STRING	0x288f0	0x774	data	German	Germany
RT_STRING	0x29064	0x676	data	German	Germany
RT_STRING	0x296dc	0x4c0	data	German	Germany
RT_STRING	0x29b9c	0x426	data	German	Germany
RT_RCDATA	0x29fc4	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x29fcc	0x7351f6	Microsoft Cabinet archive data, 7557622 bytes, 9 files	German	Germany
RT_RCDATA	0x75f1c4	0x4	data	German	Germany
RT_RCDATA	0x75f1c8	0x24	data	German	Germany
RT_RCDATA	0x75f1ec	0x7	ASCII text, with no line terminators	German	Germany
RT_RCDATA	0x75f1f4	0x7	ASCII text, with no line terminators	German	Germany
RT_RCDATA	0x75f1fc	0x4	data	German	Germany
RT_RCDATA	0x75f200	0xa	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x75f20c	0x4	data	German	Germany
RT_RCDATA	0x75f210	0x1e	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x75f230	0x4	data	German	Germany
RT_RCDATA	0x75f234	0x13	ASCII text, with no line terminators	German	Germany
RT_RCDATA	0x75f248	0x7	ASCII text, with no line terminators	German	Germany
RT_RCDATA	0x75f250	0x7	ASCII text, with no line terminators	English	United States
RT_GROUP_ICON	0x75f258	0xbc	data	English	United States
RT_VERSION	0x75f314	0x410	data	German	Germany
RT_VERSION	0x75f724	0x400	data	English	United States
RT_MANIFEST	0x75fb24	0x7e6	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, lstrcmpA, LocalAlloc, FindClose, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, ExpandEnvironmentStringsA
GDI32.dll	GetDeviceCaps
USER32.dll	ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, GetDlgItemTextA, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, PeekMessageA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, DialogBoxIndirectParamA
msvcrt.dll	?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, _initterm, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, memcpy, memset
COMCTL32.dll
Cabinet.dll
VERSION.dll	GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. Alle Rechte vorbehalten.
InternalName	Wextract
FileVersion	11.00.15063.0 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Internet Explorer
ProductVersion	11.00.15063.0
FileDescription	Win32 Cabinet Self-Extractor
OriginalFilename	WEXTRACT.EXE .MUI
Translation	0x0407 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
German	Germany

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: $RDPLVFM.exe PID: 7136 Parent PID: 6020

General

Start time:	23:29:54
Start date:	19/04/2021
Path:	C:\Users\user\Desktop\$RDPLVFM.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\$RDPLVFM.exe'
Imagebase:	0x7ff63c4b0000
File size:	7715840 bytes
MD5 hash:	9CBCD1D8DAE34CD6CC49460103E521C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: 7za.exe PID: 6420 Parent PID: 7136

General

Start time:	23:29:55
Start date:	19/04/2021
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\7za.exe x -y patchfiles.zip
Imagebase:	0x400000
File size:	690688 bytes
MD5 hash:	0184E6EBE133EF41A8CC6EF98A263712
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Analysis Process: conhost.exe PID: 2804 Parent PID: 6420

General

Start time:	23:29:56
Start date:	19/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: alp.exe PID: 6752 Parent PID: 7136

General

Start time:	23:30:00
Start date:	19/04/2021
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\alp.exe
Imagebase:	0xef0000
File size:	985600 bytes
MD5 hash:	BF506999F29EAAB4910A08ED740C12FB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs
Reputation:	low

Analysis Process: rundll32.exe PID: 5940 Parent PID: 3424

General

Start time:	23:30:08
Start date:	19/04/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\'
Imagebase:	0x7ff7e4720000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report $RDPLVFM.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: $RDPLVFM.exe PID: 7136 Parent PID: 6020

General

Analysis Process: 7za.exe PID: 6420 Parent PID: 7136

General

Analysis Process: conhost.exe PID: 2804 Parent PID: 6420

General