Gen.Variant.Barys.2143_d094375369 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

World of Tanks Hack v.6.0.exe:2000
%original file name%.exe:136
shuame_helper.exe:568
shuame_helper.exe:1852

The Trojan injects its code into the following process(es):

World of Tanks Hack.exe:2008
RootGenius.exe:1980

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process World of Tanks Hack v.6.0.exe:2000 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\World of Tanks Hack.exe (3748 bytes)

The process %original file name%.exe:136 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius.exe (34007 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\World of Tanks Hack v.6.0.exe (7386 bytes)

The process shuame_helper.exe:1852 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\.android\adbkey (1 bytes)
%Documents and Settings%\%current user%\.android\adbkey.pub (732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\adb.log (38 bytes)

The process World of Tanks Hack.exe:2008 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe (4545 bytes)

The process RootGenius.exe:1980 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\android_driver\devcon_x64.exe (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\v (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\rgs (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\upNew_RootGenius.exe.tmp.fd (256409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGenius.dll (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser.zip (3863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\busybox (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\android_driver\devcon_x86.exe (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\info (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\ddexe (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGenius.zip (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\su (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGeniusEx.zip (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\su1 (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\shuame_helper.exe (3811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Download\KingUser.tmp.fd (85886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\run_daemon (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\UpdateGenius.exe (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Application Data\Shuame\.clientid (327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8UT3N2QI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\Kinguser.apk (7666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\fakebackup.ab (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\AdbWinApi.dll (101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6SKZNAOD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\79KZR3GB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NE6NOXOX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\AdbWinUsbApi.dll (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\ku.sud (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\install-recovery.sh (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\toolbox (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\zlib1.dll (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\install (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Apk\StayAwake.apk (45 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\v (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGenius.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\su (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGeniusEx.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\ddexe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\install-recovery.sh (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\toolbox (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\Kinguser.apk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\install (0 bytes)

Registry activity

The process World of Tanks Hack v.6.0.exe:2000 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 0A A4 A1 A5 95 34 15 8C 6F DC C8 07 67 32 CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"World of Tanks Hack.exe" = "Remote Service Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:136 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 48 58 F1 2D 72 F0 18 73 C6 C3 55 A0 24 81 AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"RootGenius.exe" = "RootGenius"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"World of Tanks Hack v.6.0.exe" = "Remote Service Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process shuame_helper.exe:568 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 96 A1 0E 82 AF E8 B6 D9 C0 97 CF 4E 3B 55 33"

The process shuame_helper.exe:1852 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 F9 C4 58 3A F2 85 22 F1 E0 CB 8C 76 BA A1 21"

The process World of Tanks Hack.exe:2008 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 77 CF 67 C3 0C 79 49 D0 48 F9 00 75 60 79 A6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"msdcsc" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

The process RootGenius.exe:1980 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\RootGenius]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RootGenius.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 AB A9 D3 0F 8B B2 02 BA 70 8E CE 00 4B F9 0F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
a59280211db18ba746eae705d7be1aff	c:\Documents and Settings\"%CurrentUserName%"\Application Data\MSDCSC\msdcsc.exe
ce042f519c0abab6e3ac30dfd0a28408	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RootGenius.exe
55b2c245718c8612d5b1f45182b3186b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RootGenius\AdbWinApi.dll
58067cfdf27774a97c1bdbf5b9d5bc3e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RootGenius\AdbWinUsbApi.dll
5ab29a0ff73766e497e00594145df0d9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RootGenius\RootGenius.dll
9b26339dac7d92c1f577052f2d8c5a9d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RootGenius\UpdateGenius.exe
68dd313030ce594585fe5bf6c30fc573	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RootGenius\android_driver\devcon_x64.exe
13468a05c81cb1e83e22ed540d2b378f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RootGenius\android_driver\devcon_x86.exe
a1898660f04107ad073d3edbee2ae2ec	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RootGenius\shuame_helper.exe
08eb5b5dc281fe0bf46cb234b4102f94	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RootGenius\zlib1.dll
1773bc61706767ff5944e9730bda7242	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\World of Tanks Hack v.6.0.exe
a59280211db18ba746eae705d7be1aff	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\World of Tanks Hack.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
World of Tanks Hack v.6.0.exe:2000
%original file name%.exe:136
shuame_helper.exe:568
shuame_helper.exe:1852
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\World of Tanks Hack.exe (3748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius.exe (34007 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\World of Tanks Hack v.6.0.exe (7386 bytes)
%Documents and Settings%\%current user%\.android\adbkey (1 bytes)
%Documents and Settings%\%current user%\.android\adbkey.pub (732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\adb.log (38 bytes)
%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\android_driver\devcon_x64.exe (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\v (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\rgs (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\upNew_RootGenius.exe.tmp.fd (256409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGenius.dll (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser.zip (3863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\busybox (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\android_driver\devcon_x86.exe (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\info (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\ddexe (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGenius.zip (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\su (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGeniusEx.zip (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\su1 (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\shuame_helper.exe (3811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Download\KingUser.tmp.fd (85886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\run_daemon (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\UpdateGenius.exe (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Application Data\Shuame\.clientid (327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8UT3N2QI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\Kinguser.apk (7666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\fakebackup.ab (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\AdbWinApi.dll (101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6SKZNAOD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\79KZR3GB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NE6NOXOX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\AdbWinUsbApi.dll (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\ku.sud (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\install-recovery.sh (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\toolbox (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\zlib1.dll (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Apk\StayAwake.apk (45 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"msdcsc" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"
Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	5048	5120	4.39524	e5913936857bed3b3b2fbac53e973471
DATA	12288	124	512	0.77468	cef89de607e490725490a3cd679af6bb
BSS	16384	1685	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	20480	770	1024	2.41029	3d2f2fc4e279cba623217ec9de264c4f
.tls	24576	4	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	28672	24	512	0.138011	467f29e48f3451df774e13adae5aafc2
.reloc	32768	456	512	4.00868	9859d413c7408cb699cca05d648c2502
.rsrc	36864	6034888	6034944	5.43911	7ac1e95657bb06de64065ecfc5667eb9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://root-lb.gz.1251001058.clb.myqcloud.com/v2/root/cfg?versionName=RootGenius&versionCode=77
hxxp://root-lb.gz.1251001058.clb.myqcloud.com/v2/root/update?versionName=RootGenius&versionCode=77
hxxp://p23.tcdn.qq.com/1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip
hxxp://down.qq.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe
hxxp://182.118.11.159/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c6868ce7f4ac34&f=8f5d&p=.exe
hxxp://42.56.65.16/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68689e7f4ac34&f=8f5d&p=.exe
hxxp://163.177.158.80/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68688e7f4ac34&f=d488&p=.exe
hxxp://153.37.232.46/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68689e7f4ac34&f=d388&p=.exe
hxxp://1251001058.cdn.myqcloud.com/1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip	42.56.65.20
hxxp://dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe	183.61.46.140
hxxp://api1.rootjl.com/v2/root/cfg?versionName=RootGenius&versionCode=77	203.195.128.118
hxxp://api1.rootjl.com/v2/root/update?versionName=RootGenius&versionCode=77	203.195.128.118

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip HTTP/1.1

Range: bytes=335269-440211

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 1251001058.cdn.myqcloud.com

Connection: Close

HTTP/1.1 206 Partial Content

Server: NWS_Appimg_HY

Connection: close

Date: Sun, 09 Aug 2015 00:36:14 GMT

Cache-Control: max-age=6000

Expires: Sun, 09 Aug 2015 02:16:14 GMT

Last-Modified: Mon, 27 Apr 2015 06:40:49 GMT

Content-Range: bytes 335269-440211/880425

Content-Type: application/zip

Content-Length: 104943

X-Cache-Lookup: Hit From Disktank

-.......,./...M.I.6}...._63..P-...Gz..lg.s$.^.s-w..qHU.<.......\.......?.( .u..."....oO.3..v.d....G..D. ...E......}:a...Yf.7.... ;...;..e......C......s....j.. h.,......O.,..-?.UWLrb.a...E.....K*...oJ....>8.".o......fy..C.......D..8..q.K..4..............v.............S[.jE1Z.}....Z{..=f...MR.....f .=G.m^......(x.<...`TW.....Yg.......-..Z_"l].O. ...y...........1.}..."...&V.S...<......1.`.Qe..`e/....l..'..{-\).|}......T..5..&H..E)4...;.w..wL.C0.......j.G.YK...p6McBI..*.......je4.R....QZ........K..)..Sb.f.a]...3..z....8. ."...r.....(DO...e.G..`.4..(..:p..h..Y$n|..|....7..d"#.Bt....pyC..K.. ....fX.c..;.5.)..e..4.L....l.(6.zo.o..Y..av.....C.b.>Y;......S......1.........ro....x.#..4G.i.5$....#.......U....'.o.....y.c.o.-.t#..uD....mX.jpG.....L...T.S...K.t].........ub&WBf.6QY...L....*...'..6....".......k....r..3...1..B...z...qX.h..RZ....3@..4.Q.....q|..N.[...Q....a...v%.....S.`sLC. .&q....W..R...d..%O..tDA..>.Q.<I4.....S.7.b.....\.3.'.D. n.,..R......V..B...'y.H8.r..l.}.9...j.K.... .........h...c....y.8`. w..b.[...........!F.w~~.Hg...^.5..#..}'x..D.c-#..R..o......6.....Z5......e?0....d...v...a....X.-D.<r..w...@...k\f..'......a....tQEW{c.V....K[t......_......{L..t...v......;u.Cc...........e#.`.r..V. ..u..Ks....V. .V.0|.YK..c_.n.|B .}..[o2..............6..r.D.......5.>v\...b.F.z...m..Sc]..#xT...o.}...[N...,........]..?q.g....p.l....E.E....i..X..1.. ....h.J.)..`mF....!.......*.w.D*.-.]..LDQ.9%.._...Yj7....B.....}.I|...<\}=..J....<.M..........I.....6..i......y>B..'[..8..a.......`...n.{..x1.

<<< skipped >>>

GET /files/RootGenius/2.4.1/RootGenius_2.4.1.exe HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

Connection: Close

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: dl.shuame.com

HTTP/1.1 302 Found

Server: nws 1.2.15

Connection: close

Date: Sun, 09 Aug 2015 00:36:09 GMT

Expires: Sun, 09 Aug 2015 00:36:09 GMT

Cache-Control: max-age=0

Content-Length: 65

Location: hXXp://182.118.11.159/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c6868ce7f4ac34&f=8f5d&p=.exe

The actual URL is '/files/RootGenius/2.4.1/RootGenius_2.4.1.exe'...

POST /v2/root/cfg?versionName=RootGenius&versionCode=77 HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

Connection: Close

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: api1.rootjl.com

Content-Length: 0

HTTP/1.1 200 OK

Server: openresty

Date: Sun, 09 Aug 2015 00:36:06 GMT

Content-Type: text/plain

Content-Length: 703

Connection: close

...I.....F.H.Xw.G?w...9.7Z.La....-.........r....w......x..dEr...r.F.Kb...h.H.3Z...2T...T.j.PE...^.....Cv.e...v~V.:.s..)..'.HQn.NB.Cg. g..g~e>.f.Nj2.#....*FM..-.F..FM.3^-f.y:V.v.Z.S...r..n..3f.G.Z..CF..MlEdS6.*6N....|56EFM.(.n.p.../^...s..^..3N3f.......3'.g'.j.h2E.M.TF....n ..#.A|=rJOL.(.z).F..F..K.Q:l......M9=..$..RbCEF.2E.j..FMl...B.GFBd..3..GO...$.n.#E..jT.N......cS..E........BI.R.FL.BH..J...Q2.6O..$..\5FNM..t.r.#M.=...I.....TtS..C......N.J..z..KPJH.K.....2.6BB\..9..N..H.t.*...E.jl=...R.t....:...q...HRGGK^.B..j..ILl...B.GNv.t.5..6K.C.#.*..M..r.)...S.d.'Ql..h.....N.J.JB.2.KR......dQ>.6*2.c...!J..H...f...O.nl.K.:.T....\S.....t...B..z.*.M6E.M.....J.nZz...#..GFE..c.2.c.h.*..O......d..SF.<...dEr....

GET /dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68689e7f4ac34&f=d388&p=.exe HTTP/1.1

Range: bytes=3367408-5051111

Pragma: no-cache

Cache-Control: no-cache

Host: 153.37.232.46

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Connection: Close

HTTP/1.1 206 Partial Content

Server: 3Gdown_DK

Connection: close

Date: Sun, 09 Aug 2015 00:38:23 GMT

Cache-Control: max-age=2592000

Expires: Tue, 08 Sep 2015 00:38:23 GMT

Last-Modified: Mon, 03 Aug 2015 07:57:55 GMT

Content-Range: bytes 3367408-5051111/6734816

Content-Type: application/octet-stream

Content-Length: 1683704

X-Cache-Lookup: Hit From DiskTank Chunk Forward

.:..2.=. .(.'T.....1....l...W.g?Y..z2pKT.7....`B..t...O\Y...:.u...k$...H. R.......?..[.Y.$....%_...2. .r.$.J..0.P^..".o6...........Ti. F..7.r...>.i.u.g....(.).91......O..O56...k`/v..@7..$...@G a??-..".kS..68S.....$O .Hv...}.].S....4............D.r$..u.E..zm....@.M0.t0.......].tB.....9......7.......S.....^..?......*..Y...EA\.hu....R.-Y.J.f.@c...u...1.v]....K...B....nQL.V...l....v.Y.l..h........G..L..........j{gw.pL.U...N.7...!..u..l.>.........h..,.$........X..'jY.....YJU.?7 .{.-D.Z.J8W..4.7:....}/,.9.b.....t.#..0....>{.A&....x.N..:.K..P......#.....z........x."&..OS....^. ........~... R.-.b.L....n.(..on....D..g=.......p..% ..i.4&.(....a.....E.....0.$.b....1.Z..5.zSJ......*s.l4...Mp.e@..../E~....|...V.i.#\.\.}..S..u.-....:).~`.-.S.A......m..I).G..G....prU....9..G...X=..}d?>.Q....gO[.( ...d....uhV.~==...........&.j..9.......M.S.|3.M........n....)K...3...6..........4.03......_l_....^_.6..g.#....'.\........n*G..q.~TJ.....{o..u...9...F'|x.O.....Oi._.....X..xL.oj.e...aY#..k7..w.P.}............3.#d...!PY.tqj...<A.....$&0w..'...e"...n. ...F#Rl........E.......W.A.8..........y .A..**S.. R..w.U..j.`.>........`.................W......Q.y5K;.9B.|.....o8...D....d......1..K.....`.6.!....u.\f.........Zc.V...:.YE...ljE.P....ChY.._.&$YG....C.;$!.v(........<t...|...........X.....i.\HW...Jb.&.oK........5....(...5:4.../.\...........&...LoV.ab...ze=m.{R$.A.c9.PtoC.a."q_......lX..t.0....-..9y.......7(Q*eB...}..A..)&...W....3...y.G..g.......R.K..a..._WFvw&......[.....|-J<C..K...UC.B..$.k...O..Q....7}.5..It-T.UD..

<<< skipped >>>

GET /dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c6868ce7f4ac34&f=8f5d&p=.exe HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 182.118.11.159

Connection: Close

HTTP/1.1 200 OK

Server: 3Gdown_DK

Connection: close

Date: Sun, 09 Aug 2015 00:36:10 GMT

Cache-Control: max-age=2592000, s-maxage=10

Expires: Tue, 08 Sep 2015 00:36:10 GMT

Last-Modified: Mon, 03 Aug 2015 07:57:55 GMT

Content-Type: application/octet-stream

Content-Length: 6734816

X-Cache-Lookup: Hit From DiskTank Chunk Forward

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.!.X.r.X.r.X.rd.yr.X.r..ar.X.r..^r.X.r.!^r.X.r. :r.X.r.._r.X.r. -r.X.r.X.r.Y.rO.[r.X.rO.br.X.r..er.X.r.X)r.X.rO.`r.X.rRich.X.r........................PE..L......U.................v...2b...................@...........................g.......g...@.........................0.....................`...........f.......f..7..................................`h..@.......................`....................text..._u.......v.................. ..`.rdata..2............z..............@..@.data...,@..........................@....rsrc.....`.......`.................@..@.reloc...7....f..8...tf.............@..B.........................................................................................................................................................................................................................................................................................................y....`.D.t..I...t.Q..X.D....U...u.j..q...,.D.].....U...}..t..u.j..q.....D.].....U..3.9E.u..u......!9E.u..u....P.3....u..u.P.q...\.D.].....U...u.j..q...`.D.].....U..V...S....E..t.V.i...Y..^].....U.....M..H...t.D.3..@......H..H.f.H.f.H..@.].....U...E..e...w....v..W...]..M...3.]...U...I...].`.3..A.B.....A.......U...E..V....t.D.t.V.....Y..^].....U...E..M.... .;.s..W...]....M...3.]...U..V.u.W.u........E.VP...V........|6.u..E.j.P..........|!.O..u.......t.N.`...8.@......p...3._^].....U..V.u.W.u........E.VP.......

<<< skipped >>>

GET /files/RootGenius/2.4.1/RootGenius_2.4.1.exe HTTP/1.1

Range: bytes=1683704-3367407

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: dl.shuame.com

Connection: Close

HTTP/1.1 302 Found

Server: nws 1.2.15

Connection: close

Date: Sun, 09 Aug 2015 00:36:12 GMT

Expires: Sun, 09 Aug 2015 00:36:12 GMT

Cache-Control: max-age=0

Content-Length: 65

Location: hXXp://42.56.65.16/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68689e7f4ac34&f=8f5d&p=.exe

Accept-Ranges: bytes

Content-Range: bytes 0-64/0

The actual URL is '/files/RootGenius/2.4.1/RootGenius_2.4.1.exe'...

GET /1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip HTTP/1.1

Range: bytes=660318-880424

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 1251001058.cdn.myqcloud.com

Connection: Close

HTTP/1.1 206 Partial Content

Server: NWS_Appimg_HY

Connection: close

Date: Sun, 09 Aug 2015 00:36:05 GMT

Cache-Control: max-age=6000

Expires: Sun, 09 Aug 2015 02:16:05 GMT

Last-Modified: Mon, 27 Apr 2015 06:40:49 GMT

Content-Range: bytes 660318-880424/880425

Content-Type: application/zip

Content-Length: 220107

X-Cache-Lookup: Hit From Disktank

(......K.K.`...$[...-.[.....(\.W.Q.O....G..-.n>..a,J...............3...J.Z...h.V.[...s...es.gL....Su...8.*.:..>.0;F.. .....>........b.gP..[....'...8c..KDvrv.*.7..g....Vj..d .{.?...E..=.#..L...5Oe.v".Vq{....k7....Qn.M...C......?S%..aX....J...w....M.4..y..R.\..u).\O...x....'xI..;.pL..m...s...k.|.B.}...B.v{...d...Fy'....h...........~..O.zp..n..&bo.u^'......u.0...u.....;~.......>.p..._..^......!.K.yd.WB.........x_....J.rh..d...q6....2....-..../..h....bc..)7./.:...u....... ..*...L.y.;#.R6;..]..@....K..c..**.@_N.Hu...YN.bX.MQ.K.AH..!`.......N#....N. .q.j>....k[.....u3o...X..BN...6.-.T.9....j[X'K..IT<l0...3._...'....cQ.T..#R...]g3..dQ.@....2..~H..>.Y;..FD..........[U.S....`........w.Y.10......o........E7.'o-R...(.......s.K%*#..o.k.D,......d\?b.....|.>28...._..O...x.........w.zj.......#.....w5.o..... :....3.....c..*"(=...../........`k..@.ZG.g..a<&..t..X1X,.s......iy.8b...^.Lv.K..e".....[....O....G.a.J...a......D...rJ....7.C.D.....r...M...*....I.p.....hg~..i....,l3... .C.w`X..aG$S.E.p.....2........T...D..jztm..........$..R.~.6...*....^.... q{):......./K...E..l:-.Q.%.......wg"N...3.........w.I".*...Ej]-.........T|.mt.j{....( ......7?y.7r.fE...RG.....o......~N.....0y.*@. ....y.....fv..@...f..$..........@PR..B&..Dz...d{..8.1.I.N!r.X....z.mt.f6.....8...c.X|........\z>../...:.~'u..4}...J.`.).L@.3.w.b.i....].<.=....,....K.K...5......V...H.~.Wr..@.. . X2.7._..=dyY.......o5'}`../u..'dlj..jubP.........L.....'...sxX.H0...zcq^..{..D....,.si{.....J....,....<.O......kl....4..U.gb...e:...5i@.=.X.p.

<<< skipped >>>

GET /files/RootGenius/2.4.1/RootGenius_2.4.1.exe HTTP/1.1

Range: bytes=3367408-5051111

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: dl.shuame.com

Connection: Close

HTTP/1.1 302 Found

Server: nws 1.2.15

Connection: close

Date: Sun, 09 Aug 2015 00:36:12 GMT

Expires: Sun, 09 Aug 2015 00:36:12 GMT

Cache-Control: max-age=0

Content-Length: 65

Location: hXXp://153.37.232.46/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68689e7f4ac34&f=d388&p=.exe

Accept-Ranges: bytes

Content-Range: bytes 0-64/0

The actual URL is '/files/RootGenius/2.4.1/RootGenius_2.4.1.exe'...

GET /1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip HTTP/1.1

Range: bytes=440212-660317

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 1251001058.cdn.myqcloud.com

Connection: Close

HTTP/1.1 206 Partial Content

Server: NWS_Appimg_HY

Connection: close

Date: Sun, 09 Aug 2015 00:36:05 GMT

Cache-Control: max-age=6000

Expires: Sun, 09 Aug 2015 02:16:05 GMT

Last-Modified: Mon, 27 Apr 2015 06:40:49 GMT

Content-Range: bytes 440212-660317/880425

Content-Type: application/zip

Content-Length: 220106

X-Cache-Lookup: Hit From Disktank

l.9..".<w.(.Y.].FQ......#.....$.*@..~.........@..C(...#$.....d<...dV........F.f.....o.%B.5...ref*j....w.c..J.g..........@..]......x..M.4....S...Y.t.W!..P..y't.G.P..V.u..c.u<HATQ.)......Cz.|....0?y.....p0......K.A..0v....w)...T.q....mx...UK=.../t.Z2..<..g...R..x..>..N=....L=.........W.....-..&..8..smII........r.]yoa..<..0..T...B.=...)RW.8.dcH.y......g......9u.*.V...S...J..r..C.:..........g.l..[..i..x.%...M.....c..wD>.-...:.7.3<k......4.....Q.....5*....y4...(..`Zy....-y.g..u... .......V..N.0..GK...h}.V.(".:...y....|.............3__.4z.%....WC..k....(.....%..V/.-..v.....O*..].*......./.e....B.<|......P.x..........7...F....F.(.......O|.U.....F'..E)J.......3M..b....~..a....c(.....SZ@|.vO.|l=.!...7../;M....8].muV..S0.(.'$S..I%...n...}.=.k.U..<......dp2YM.t..1.mw5.m..V......e.ag_..3.!..` ....`.z......lM...........X.L..7n....y...u..R...b... .i..H.\.........O..t./.....]....&...vb.....=...D.=.....q...b...hf.W.#8.vU$D\....}D.B\\3.e...g.M ..`!......6IC.%......:UH0............p'h...w.....k/...a.83..(.....\..Bk.....%.......m/.T~.....!..}...-.n.>h..I...!.....0...x.K.l....!.hYP.....!\H}.c.|....q....C.t.K.cE`...j....s.Q...E.:e..$so....?(S.....M.&%w...1.i]Y0 3.@j..h.UL. .5U......X.2[Vi......5.UF..q8%.S....Jm..w.P?o._........}.K..........Xp..1.....8~.{.{-8.z6.J.`\..ag..z$;_-%...5....@.B9@z=...!i...t0i|...%....UD.(Y.o..uHn.{o............ @.}.H...|...o&jj...D.}K..y...3:c-&...3.vPLD<.T."zQS}...Bu^v.......>......~`....'Wez......y 5t...~.9.?.I.........J15K.-D.f>1...>.......`....kx....c..D.c

<<< skipped >>>

GET /files/RootGenius/2.4.1/RootGenius_2.4.1.exe HTTP/1.1

Range: bytes=5051112-6734815

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: dl.shuame.com

Connection: Close

HTTP/1.1 302 Found

Server: nws 1.2.15

Connection: close

Date: Sun, 09 Aug 2015 00:36:13 GMT

Expires: Sun, 09 Aug 2015 00:36:13 GMT

Cache-Control: max-age=0

Content-Type: application/octet-stream

Content-Length: 0

Location: hXXp://163.177.158.80/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68688e7f4ac34&f=d488&p=.exe

Accept-Ranges: bytes

Content-Range: bytes 0--1/0

POST /v2/root/update?versionName=RootGenius&versionCode=77 HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

Connection: Close

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: api1.rootjl.com

Content-Length: 239

...O..E.........zr.......2...-..K..i..K>.i..x...'..s.....p......J.rPOn..MFdP.S".??K~/..6.._i....#<4IO......S.d...........'.KSF.PZ..Mejc.c.>O.. .nr3.s.9^.vdf........h.N....................M8...C.2P.zI.........2.zl'..f..hH

..ryp..2\...Q...

HTTP/1.1 200 OK

Server: openresty

Date: Sun, 09 Aug 2015 00:36:06 GMT

Content-Type: text/plain

Content-Length: 788

Connection: close

..<...bSc#Z$F....~..M2.B..d&..Uu...w..\z#....Fj...j.w...Q.n...p.LSl#..d.d.J.....\..FKQ...L.c#-H2.#O....&5c...F.rH.j.......jc..$d.......Qc.....|....N..y*...t'!I..-..#.mB!....Z*2h.G.t....H......d.nt...:..j.C.lr..dZ.S.'.f......d-..p..n.pY../7#..'..5..s.z.....>.vs..f.f..4J.V8...2N.i>..$dp.hs..Nc..\Z!d8..ZFbE.j.(...8.....44.r.#.T.R.tr$J.....dCJ..b.d.c4iK2.UF.cAL3.3:..7?;../..A....b....#......%.d&*#j..Ql...J..b.d.c(%.Y.._.2.n7u3... ....;..w}.yg....32~x.%..&Q#.6(J.V8.dT>M..2.l(.c'..\..q4.v7.....? ...n.t%....B...'$..vs.v.... .C..r.d.2E..6.d.c4iK2.UF.c.^G.tY..;3K..f..'....#3.^ta...4#T.Sc.2.6.T....2E..6.d.c(%.Y....'.6z3g...?73..?.255.y./..>.2vx.#.|...#jc...Y..T>...j.........=fr.7vz.'3..'f/f.j...3....3..'w..\...4...G#^..R...BI..Z9.#4k!Hq.5.....7.s:...BB..j.......7t.....x.....q.c..C.|s.\....

GET /dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68688e7f4ac34&f=d488&p=.exe HTTP/1.1

Range: bytes=5051112-6734815

Pragma: no-cache

Cache-Control: no-cache

Host: 163.177.158.80

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Connection: Close

HTTP/1.1 206 Partial Content

Server: 3Gdown_DK

Connection: close

Date: Sun, 09 Aug 2015 00:36:13 GMT

Cache-Control: max-age=0, s-maxage=10

Last-Modified: Mon, 03 Aug 2015 07:57:55 GMT

Content-Range: bytes 5051112-6734815/6734816

Content-Type: application/octet-stream

Content-Length: 1683704

X-Cache-Lookup: Hit From Disktank

M.a....]..~.g..^...K.|....z........v.....Q..i.....*Y.T..|..U0V.E[c..._]H..... 7..\....b......4......s._........u5E..^.....b~&.U...a.<....,1...T......iL.....\..V...M..="..:.y.6.[.....E......'`E..U!....x.....wy:..R'..j...S.^....Y..Dm7...A..>A....*.TA..r.Cv?W~.0.q.'c,W.{.NW.....H.>H............&.B..m..?..{9A.a3..n0..S.m,..........}..=0...5..Ft.....X.-....DzE...g.....'.. ..h6....n..........fjk.Jt(4.]L.,...2....6.u...Y;:FGWA.k...g.....]...=s..E.:G`*.b.T.:.V.t..7t.....&x.].C."..... ......rh.(....Tp......%......Jh..O.>3UE..`$..:._.`t.W..3.........V@..a.D.....X.|t..&.>........f.w:..b8...D.. ..M..,.f.........e.n2Uj}.l.~a.{...x..{....b.....dr <...[.8gC.C...D`D...e..Js.....^.r...E.....)....S...K.....bb~..!.p...V....SC..7b.r..Vd .w...8....2?...{^..../-\Z..{....|..=..[....-.....y.........H...w. ^u...G...d<....][Y......>y..3._~yG..Qv...8....$\#ia.C9.......w~.@.03xb....N.ut,%4.S.\ZT4.^.....,&;....m..lkI.&L=.. .n...>?.C.....S..R.8.VWN..'}(.u...}L.......8./..3..Y.........V)..;.i.P/...{o...:%.{>.O......AM.*..i..W,.m..KT.v..k.|{,..y...o..>....\.3........C..........L..^y_._.....$M%I..T.0....(.........iF.KLe&.<.7xL..g..5Y..R..cy.(....C.n..K*..aP..2....x9....g........:..R.O.b^..m?.......k.e.2.O ......F..T`..k.[g 0.....,.-.....=..X.=q...v.r...2..3...CF.4Bo..E...!.2..........[Bj...m..,D.'....[....Q........=.g<7....\...l...*.2........ Ah.......L._:.U..W...u.$=7.%.Q@..u..E..7.R?BO...z....73r.P._.]B.P......-.....e>.a. .P'.............K.C.Ho.J.b.3;.rB.........W..:..Dxw....d?......k.b..._B...b....d

<<< skipped >>>

GET /1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip HTTP/1.1

Range: bytes=220106-440211

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 1251001058.cdn.myqcloud.com

Connection: Close

HTTP/1.1 206 Partial Content

Server: NWS_Appimg_HY

Connection: close

Date: Sun, 09 Aug 2015 00:36:05 GMT

Cache-Control: max-age=6000

Expires: Sun, 09 Aug 2015 02:16:05 GMT

Last-Modified: Mon, 27 Apr 2015 06:40:49 GMT

Content-Range: bytes 220106-440211/880425

Content-Type: application/zip

Content-Length: 220106

X-Cache-Lookup: Hit From Disktank

@......t...D...lc...u...W.)..T;?.....{....m)......"........'.. .........g. ;s.......nq.!........%%.[.J.J......Z.7..$.w.E3N......_.G..8.d.!*r..-..|.R........;..`B...W...".......([.O.\';..j....".au~.3...f..w.Cnm...b8.........]..n9......=.....;......}.Ah.....2.7.z<.....v.BW... .UHT....\..|.....w........h...E9d..;...Sb...Wn:.8.*LY#.].....e..'.N5.X......O..pS.0`..U2. 8...D.v.>....OL9.........7.YJ...R........h...zfj......)yx.6.....d.....:..,`......r.y.\...z.3......p.g..k..P..x*..P..$M..........%A....X ..b.1.V..&X..*,B...?.o..~O..>..I<A(.......#8.Z...dt..).H.s.;d..k..iDz>jL\.o[.2........s.?...3#D.28...C...6...0.8...J....=...h...'.>.].[... .8.=..........X|..K...L..UK.wS....9...I..C?..O.....s..Ut=..4..~sf...^D..P.....)....p.s....k)..rM.....k....@ ...........PW}.:5.p..M..w..k....N....{.ts.O.._..NQ;.......:|s].......s8B....w....,.M\..m@.Y.z....L..v.H....}.V.........M....Z.......rx..U.q...........F.dN...2..e......a.i...Q M.....,Z.B.(.?P.`U..{_..h..3...Kb.Q.j....R.}Y7....w...j.;H5.$../....T?...I'G..~"xgL^AV.^...~..N(..dH...*......l]ud.....W.\........B...j..l.Qe4V..0..n./.....*l.= [.,.=......y.o.S...]........b.....r.....M;M)D!.......U.>......v.)2T.0......4s.\%.j$<2. ...}......\...Df..w.I...G.^WY.......].">.....a......t...(E..~.P.F...|w#..,...oi.]..;......R.A....N........E..s....Ng...d@..n.D...%.T...Y..$'Q....J...........`f..Y.s....I.........^...T..O.6P..Zi...y.....r...5....Q.,t.......\.6..D.!C0U..w.ye.m.H9.k.W.0\....rX...~Y.........;o...`..&$...W.1q9J..x......._..'. ........aE....._#..q\....L.@..

<<< skipped >>>

GET /1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip HTTP/1.1

Range: bytes=795191-880424

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 1251001058.cdn.myqcloud.com

Connection: Close

HTTP/1.1 206 Partial Content

Server: NWS_Appimg_HY

Connection: close

Date: Sun, 09 Aug 2015 00:36:15 GMT

Cache-Control: max-age=6000

Expires: Sun, 09 Aug 2015 02:16:15 GMT

Last-Modified: Mon, 27 Apr 2015 06:40:49 GMT

Content-Range: bytes 795191-880424/880425

Content-Type: application/zip

Content-Length: 85234

X-Cache-Lookup: Hit From Disktank

.....VLFa.......!..W.JY0...~.D..F......|/q......g.v264YB[..|......X....}..D:..t."...\.?/......N.wO.`.F....Z....T*8M:6\N..Bj.y/.....y..k ....w7..fpDw]...dK.:d#w!.......D..u.......)..o...G1.m=n...<i.Xa......~.^./0%M.......A....6...A.o....a...R....6Ta.A..}.....}0 %.u~m...!.\....q@.o7SC/..!b.fF...]....RFi...m..A.....).!.....O.D2R..q..X.<....W!^...lW.C.R:...e..e..).3.....{.VX..7..!.R91..dnZ....@..q.j.......D...I2.:....X.....*..4.WGD....w..P*.......?.SR...C.j....Xg....!.. .........].e...L.=......].z....T~.... ....`E.f.... {...."H........!....${......|....Y..(..}Q.B_.~.3s.....B=.r......].9...[......b......../...,..V)...G^.E..j........g..............u.....l....?.S-...s.N.p.jv.......X...b......e......J..e....Yu[pO.`=EO5..B.....w...%.-t.q...WP...8...>J.....&.#($.\y.......J.s.....X.!..8#..6..c=1'>.D.B..C....X.....].z....(.............jy...F@i.3i..;P...X.Uh..`..=.CH....d..&....A....Vgd[.c.&..`.OC.3.o.7...;..~....v.2S6....dV?.2A...\t.. .)....3BlM..C...<.B.v......y....]3F.....d4..G.w=.I#,(.L.n..0..%........2.. En.G..K^ i......a'...W.$...N..:t.N\w$.e.jP.....=. .k....5k............x....=.l.SX.....N..JQ5G%.^...^.I..K4H....@.18.n..b.....Y.AG...>.I...B......03...v<......j...........g.\n@.<.l.4..5.....u...n..Y,..VpX..>.=..)..eA..4.h...P..8...Y.A.>.Q|..,.....E.....~)...C.....g1D........"....Ã¿..m..(......x-."~.VM...e..!......(..oH....rR,?g.=.[............?/.C...S.Z2.8.3..fM&..p...M..")...i...cC.>_....E).$.."1...j|.\....(^.\.H..QNL..M:M...Ofr.......Bj...N_....5........"........zW..x..a..3)0<.....

<<< skipped >>>

GET /dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68689e7f4ac34&f=8f5d&p=.exe HTTP/1.1

Range: bytes=1683704-3367407

Pragma: no-cache

Cache-Control: no-cache

Host: 42.56.65.16

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Connection: Close

HTTP/1.1 206 Partial Content

Server: 3Gdown_DK

Connection: close

Date: Sun, 09 Aug 2015 00:36:12 GMT

Cache-Control: max-age=0

Last-Modified: Mon, 03 Aug 2015 07:57:55 GMT

Content-Range: bytes 1683704-3367407/6734816

Content-Type: application/octet-stream

Content-Length: 1683704

X-Cache-Lookup: Hit From Disktank

.gfTD.J.Y....b.Q....a.... .eE.m7q...C....o. ..-....?..~.%^..U/..q............w.D.`*O.n..........2.s.....Y_Yo[.X..].t8....\.,.\../.g,..C.....w.u_....X.D.g...7.v.I.....&]!.%....Z.h.9.....=...W.^,.Z|M ... ....8.KY@wS...=..........I7;...o!..m..c..Ez.t...........vd......F...#!$...-..H..4.y...F....F._.C..B{.......%nT..U.B.#...#%mG........fob..ho. ..~..M..vIPY.....R.{....X%..J...f.H... dt....Y)..>.....v...t@.:.<.........P..6.=...........E.Dp....M.`k.....:....bbH0........Q.......tL.l-M.zd6#. ..9....J...Q...ek.,.^.J.^..7..).p...Q..>i..1.z...).:.S8..&u.o7........a......S....>......@......:.1........9.>8.@U..!._.... ..MR.z.0.$S.g...8..... .;f.:.FB>....X...x..*....Me..7g.;.........3......oP..Rt....... .....\.......O..]..gvp...I.TaD/.g...P.MvP.[..W.D...)&q..'...3o..._..3...I.)V;.h.....J-U....&v..8.U.D:.........2mW.._ZT.s.8....D..@..s..R..X.Vq....,.. ...@.>....l..=......./....G}.x.A..o.z..,D..1..I...1.(5o!....j:....o.....V...t...........Y....k.=.~..x.\..5U.8.....,.-.qI7..h.U.6...<....u|.)6..w....4.....y....,..A@4.(e....[G....n.......$"0...n..}G..A..^..d|O*..`..K.40..}J..7.\\.~.ChMF.i.Hn..6.......`...N.d11.Eb6....#.g..Ir.b....>.cp .VjU.......5.&l....Q..n..dR.lH.%...EC..&...P.........Yy6f....(...q..@......G..cs....._.,y.\...i..m....K\Y,..v.........'....}.]....'%....)Lr..liDp..........K..o|..p.'.....%1Sg7...'.^...........q;.e..........&..;.4D...=z=U.z.o...4.....I..T.....9.k.`..o}..........[.^..#%...|......../..#....Q/X...'"..c.H..?4..'..f...{.....|mU.l.vK...N...(p.iT^....>...........?Y........1...n

<<< skipped >>>

GET /1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

Connection: Close

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 1251001058.cdn.myqcloud.com

HTTP/1.1 200 OK

Server: NWS_Appimg_HY

Connection: close

Date: Sun, 09 Aug 2015 00:36:04 GMT

Cache-Control: max-age=6000

Expires: Sun, 09 Aug 2015 02:16:04 GMT

Last-Modified: Mon, 27 Apr 2015 06:40:49 GMT

Content-Type: application/zip

Content-Length: 880425

X-Daa-Tunnel: hop_count=1

X-Cache-Lookup: Hit From Upstream

X-Cache-Lookup: Hit From Disktank

PK........Bx.D..JuG...B.......ddexe......N..>......(.i.......E.Z.z../....Z.m6/..'#.B%.....H...9-....&$..:.PK.........q.F....K...?.......infozM...!..L...h.5..P.k...j.....0..=..B[........... ..1W...f.].>d=.j(..R......PK..........IF.../............install .I..4%H.......v..>.M.6..~3IJ63......S.._YX..a{|...E..>.[q.p.m{........NH'..FT...L.:r.f.6.D.....,..*.'...M.EC.4Oj_.i...b._!"*tq0I.N..=..@..R9........4..i....N.<.].?P-1..}...(.... .....o...~....K*..DO.K....~...i..a....K.......}.8.9........s.2.../KnL.j.1...MRx......C.....>*!.....xvH n..N]8..t}[.....~nU.h..\.......f.N........emD..Af.....=.f.f1.|....O..9....%}7h..>2.k. . ...~ .T|.........O.T...V........0.!.q.i'.....|..C...........q...g;..f.....k..-.G.E1.Ql..f.P...$H...*G=.f%.}.....C...2HD..5^..P..r,.A.4...M.b.b..}..S1;y.o@).au5....$... .D....B.].h.=)jB..dk.....t..y...QD.o.......b...K..Lg.'....H...k.k..M&:..uGv...P..M<...?c..Yx%.;....2...=OI.$.....]@..u.r...8.. PK........H~:E....7... .......install-recovery.sh..I.=..$.$....5=.P..*R:SJ<...dE.jK.zK.]..,L).....XD....PK........w.TER...............Kinguser.apk.Xm=...I....Z........u...sy. ......... ........0....l..KG.......|.U..L...2.V.{.j..m>....).4.....B..c_.Pm.`.b..c.517.....8..L....J........@....O..u$V.T.Po.9.!.nX.V.L....3.sc.. ..d....J... ../........o"PQ].?.wGja.e.y._#...XK.9..k.5E......L..\.......?.....l.$#M..{8.5.~b.p.1$..Z..Y..u?...S.....=_..s.u...R.Y.V..{..'.F.;p....G...7.F.........h..;..-'.Y.Q..G&.\#.......d9rtx.....H..-.#su.Bh..T.P$}V....lHy...1....X.{.\_....g.(...u...HP.n....c....?..

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

RootGenius.exe_1980:

.text

`.rdata

@.data

.rsrc

@.reloc

zlib1.dll

RootGenius.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

KERNEL32.dll

USER32.dll

SHLWAPI.dll

dbghelp.dll

GetProcessHeap

GetCPInfo

RootGeniusCaller.exe

zcÃ

tGHt.Ht&

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

1.2.5

GetConsoleOutputCP

unzOpenCurrentFilePassword

? ?$?(?,?0?4?~?

1 1$1(1,1

8"8'818?8

; ;

ddexe,

install-recovery.sh

Kinguser.apk

.Gw5ZU

.XV0:

.YN.l

.Xe2>

.KC4bE

O_v6&.HM

yL3^r.jn

.Cj3U

.UW}33

^%uD[U

Gn%S_

%d`}b

:z-%C)

.UrL$e

n2sQL

aP.Nj

.~.MP

q1.ki(

.nR]E

nGB%cY

kK.mh*

.wBo9LL

6.MDF

A3%C=

.RfJpP

4.NOX4

%\.XG

~%xIB 6

u.Bjz

Do.Is

X.aXAf

}\.GKNV,n

R4Ã¸

.arfJ

tMSG

d.gvs,

(%s$9

,%dQXQg

-d-Q.Mv

JB.BB

tcP "X

}:.XC

Q%u\k

s941@%X

J.LC5B

%u|ty

,Aq.oH

K-.SV

a-t}10

V.nwa

.aW\;$d_R

F.Bwu

:-Os}g

X.xb1

\\ÃŠ

]B/.eL %

&~KEy

Ad%u}

`>.js

,.XKr

ooY.XU9

!C)%sJ

.mAx[

P.fy2

8|%x>

\%Xe'\L

U'.mn

NE^%x

j.BM_

p.BQ}_

H.Idsb~

A.gS-

.pA5i

u2V#%U

v}.nJ

=B%xt

.asI T

%dG>vE

ddexe

AdbWinApi.dll.

#%5^!

5(Ãz

'.rpI

64B`U%2S

AdbWinUsbApi.dllG

\ftPK6

android_driver/devcon_x64.exe

R.Rgv

n.knG

@.UDl

2sÃ

%c!coC

android_driver/devcon_x86.exe

Data/Apk/StayAwake.apk

B3?0sN%s

.kK%

keYWb

J%XfQ

q.Lvf

K%STX

|h.Yh

`yb{%d

%S8G-

s.iUb

%CM#:

.Gh-BS

&%sZ{

N.JZu

DL6

.QY"T_

6j%s-

/P%dm

~G%s6

O%Ug{I

%c>D1

*%5UT

'=2 %S[N5

ib.eb

%uDa'

eHt%U

.hOW{}~j

.Cx/P

LU.LqJ

al["x%s

B%c~`)

g{.IX

-6pk}*f

t[t%U

oW%d>/g

"$.Vs

i__%F

QR.gv

.wA q

%B.Fs

AgWeB

.JcT[

>O,.fr

_.bHh

%0xcB

o.pT4

Qk)Ãœ

;.UgK

d.fBsp5

).Bmd

.oXDn

4.tfw

"mSg\v=f

|

P%f?#;7

-9}fW

%u-1.

1Q%dn6

]mJ.HKf-

jlÃ¿

Mz"%f

.hk`feN

.jMLm

u.QiV

%sk&yu

91.Rg

n0.Uq

`m.PSF

?T.IEu

f"%S\

Data/Bin/fakebackup.abspU

J%un}

.lHvO

.pN\oL

bO/.pks

2%CSBW

x=m%c

&,.jN

%sM\5

ÃŸr

&;*$;77,

%u8!{

t.Qz[

.GYf]P

D6.Os

(}G%c

.HFxT

.CvV]>2

6%f)(

fe>.xG

Ed-r6}

PC.JT

.lp0.

w.dRj

.xsG33/

u1bNv9c/%U

6/%U{;

k.no^J

.cUqD6p

G?6.ju

M$.sf

S%U(Sk

.vG3n}\

}L%c%

K.JH}

66.pWN

E.cMz>

xK]

Q@.bFw

9.%5x

.laX9

g7f-g}}

VO.HG

DI`.kfJ

ZGd.Ff

4y~#.QG

&.Oa#

/iW.oM

UA.ln~,

6%FQl

Ir4.sSHD/

B.uZa

P[V%F

4.ZW75o

k.Kk(

=%u#T

;:7%U

&Q.gL

J%UGO

m.TgL1

%fqN!

F.Dfu

y.JlLqOU

}F%6sq^l

P.Znb[

v.JYd

WtcP

.zTLoe

-.bca

%USpo

i^.Vz-

DXR61.nx0

.gFC^

~T.cBF

Ã½ ~]

K5.KO@

DM.AbF'3

:<.oy>

.aCmL]

.nhos"

.GD=}#;[

;A^?%C;g

v|8%x~

N.lJV$

.Wx{,

:MSgCJ

]wY%S*

y.xnc`-

PB3Ã‘

z-P}@

Tq.eM

%DPI>oR

.ib:\

.yVm-Y3O

u.SRTk)B

j.Amo

tPa.gFL

-%dVDq

t.ZbkW

ix.qQ

@yz.NSj6>

jVN~bÃ€

E.vIWW

o.Ha/i

^J4Z|.kn*

=?bot%S

E_%sj

`1.cj

)Je.gh

MI.Ci

i.IqH

CC%xY

9.mA

%uz!S

(=hr.AY

#%fWm

k:\KEe

NcsN%s

Q[%9xv

Z.ZM9

*%8uXl

x.fuRX

^.lp-M

=.XJ^q

%fTkI

.uxD8

/Å¸s

Ãœ,[ST

>.peG!|

hnHS.oU

Gg.ma

.vqV`

K2uJ.oG

.SGV-

A %C]

Tsi.JE^$

.tI!w

ul.EB=%1

%UNEwm

e:$.FW

vN-I}

.Gf!wx

j{%Ul

k)%sL

b~5O@%D^7

D.Ye0

0^*%U

s.bIl

2W.AZ

.GH|1

.NTL ZCg

M=.sJ

.Rzy/

aZ.fJ

ZC/;%FT

O%S},

| N%fq

%dN9

.cLXK

L.Tjq{:

,RÃš

P(-K}

N .YI

R.EK)#

mSG2;

Enh%x

t1Y%U

.DRdK

.rp![

aD.Wy

.vB 05q7

E.yRse

7.vp.

9.TafI

q.Vh1

%UT,2

Nh.NU

R.JSp

Y2rU%D

=b.jbRo

6s.sH

g.Tn1

4~E.mA[

`u.Js

5%DsnZ

Dm%s7E4

j.pSfU

.uJQs

};z5.zC)Q

mI.zm

JF.bb

%%s0}fH

]\.Mg

J(.BPN

C$X%FJ

Ãœl:

.Nt=R

l\.lKG

i

Z%CnZ9

%UPDdr

Ml.dO j

).tD~

8h.Gd)

[.Eq_

Gl.TZ

Gq.Bqo{

shuame_helper.exe

.He b

sqlH

2gh=L.jPM

T.Qh:x

l.Km5Xv

6.zV;

.nhV'o

&.mAX

bTX#.DtREE"

q5%X^

.Xa1U.

.SKZl

:(1.du

.GJ6}O

HLd!.tR

g~.JW

$d%SU(

.Tdx$

H.RqX

.wYtk

Q.lc4t7

%xJp]

.iu77

xTM%S

Uev%F

}mu.JI

Z,6C%c

r.rhF`

.Jt4K

1E.NV

F$/.yPxx

-u.sw

)>.Rj

UpdateGenius.exe

bBM%U{v

AdbWinApi.dll

AdbWinUsbApi.dll

Data/Bin/fakebackup.ab

RootGenius.dllPK

RootGeniusEx.txtPK

RootGeniusEx.txt

/4%X)

'H%Sx

`)I%S

2%2*292`2

0 0$0(0,000

KERNEL32.DLL

mscoree.dll

RootGenius.zip

RootGeniusEx.zip

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RootGenius.exe

zlib.dll

ZLib.DLL

DLL support by Alessandro Iacopetti & Gilles Vollant

RootGenius.exe

World of Tanks Hack.exe_2008:

.text

`.itext

`.data

.idata

.rdata

@.reloc

B.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

%s_%d

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

%s, ClassID: %s

%s, ProgID: "%s"

ole32.dll

USER32.DLL

uxtheme.dll

DWMAPI.DLL

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

comctl32.dll

AutoHotkeysd-C

AutoHotkeys

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDownL

OnKeyPress

OnKeyUpH

GlassFrame.Bottom

GlassFrame.Enabled

GlassFrame.Left

GlassFrame.Right

GlassFrame.SheetOfGlass

GlassFrame.Top

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

Uh.ID

User32.dll

TKeyEvent

TKeyPressEvent

HelpKeyword nA

crSQLWait

%s (%s)

imm32.dll

TSocketPort

%d.%d.%d.%d

0.0.0.0

PSAPI.dll

TDCWebCam

127.0.0.1

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

1.2.3

127.0.0.1:1604

#KCMDDC51#-

5.3.0

cmd.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

hkey

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

*.torrent

\Internet Explorer\iexplore.exe

explorer.exe

wlanapi.dll

80211_SHARED_KEY

user32.dll

TUploadFTP

notepad.exe

KEYNAME

%ShortCut#

RELATEDCMD

ping 127.0.0.1 -n 4 > NUL && "

DRKey

CRKey

DelMSKey

InstallHKEY

ActiveOnlineKeylogger

UnActiveOnlineKeylogger

KeylogOn

ActiveOfflineKeylogger

UnActiveOfflineKeylogger

ActiveOnlineKeyStrokes

UnActiveOnlineKeyStrokes

OpenWebPage

tmpprint.txt

URLUpdate

MSGBOX

#BOT#VisitUrl

#BOT#OpenUrl

HTTP://

hXXp://

BTRESULTOpen URL|

Command successfully executed!|

#BOT#URLUpdate

BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|

BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|

#BOT#URLDownload

GetActivePorts

out.txt

tmp.txt

DDOSHTTPFLOOD

DDOSUDPFLOOD

%IPPORTSCAN

SAPI.SpVoice

WEBCAMLIVE

WEBCAMSTOP

PASSWORD

FTPFILEUPLOAD

URLDOWNLOADTOFILE

UPLOADEXEC

UPANDEXEC

FTPPORT

FTPPASS

FTPUSER

FTPHOST

FTPROOT

FTPUPLOADK

FTPSIZE

BTRESULTUDP Flood|UDP Flood task finished!|

PortScanAdd

BTRESULTVisit URL|finished to visit

BTERRORVisit URL|An exception occured in the thread|

POST /index.php/1.0

BTRESULTHTTP Flood|Http Flood task finished!|

Mozilla

BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|

BTERRORDownload File| Error on downloading file check if you type the correct url...|

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

ERR|Cannot listen to port, try another one..|

TCaptureWebcam

taskmgr.exe

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

DC3_FEXEC

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

Windows 95

Windows 98

Windows Me

S-%u-

FAKEMSG

MSGICON

MSGTITLE

MSGCORE

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetKeyboardType

keybd_event

VkKeyScanA

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

ExitWindowsEx

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

gdi32.dll

SetViewportOrgEx

version.dll

WinExec

PeekNamedPipe

GetWindowsDirectoryA

GetProcessHeap

GetCPInfo

CreatePipe

RegQueryInfoKeyA

RegOpenKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyA

wsock32.dll

shell32.dll

ShellExecuteExA

ShellExecuteA

SHFileOperationA

URLMON.DLL

URLDownloadToFileA

wininet.dll

InternetOpenUrlA

HttpQueryInfoA

FtpPutFileA

winmm.dll

netapi32.dll

gdiplus.dll

GdiplusShutdown

msacm32.dll

ntdll.dll

WS2_32.DLL

SHFolder.dll

SHELL32.DLL

AVICAP32.DLL

1!1,1=1|1

6 6$6(6,606

=!=$=)=-=1=

01m1

0 0$0(0,0004080

;"<_>

; ;$;(;,;0;4;8;

7 8$888

= =$=(=,=0=4=8=

UntKeylogger

KWindows

UntActivePorts

UntControlKey

UntCaptureWebcam

UntWebCam

UrlMon

(UntUploadFTPThread

UntFTP

_UntUDPFlood

YUntScanPorts

0UntPasswordAndData

XUntHTTPFlood

UntCPU

66006666

No help found for %s#No context-sensitive help installed

No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Invalid clipboard format Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Unsupported clipboard format

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to create key %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

No argument for format '%s'"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time

'%s' is not a valid GUID value

I/O error %d

1, 0, 0, 1

MSRSAAP.EXE

4, 0, 0, 0

shuame_helper.exe_1852:

.text

`.rdata

@.data

.rsrc

@.reloc

|$@3|$

3|$

FtPS

tGHt.Ht&

Big Number part of OpenSSL 1.0.0d 8 Feb 2011

RSA part of OpenSSL 1.0.0d 8 Feb 2011

.\crypto\pem\pem_pkey.c

ENCRYPTED PRIVATE KEY

PRIVATE KEY

ANY PRIVATE KEY

%s PRIVATE KEY

CERTIFICATE REQUEST

NEW CERTIFICATE REQUEST

CERTIFICATE

passed a null parameter

DSO support routines

x509 certificate routines

error:lX:%s:%s:%s

ssl_sess_cert

ssl_cert

evp_pkey

x509_pkey

%s(%d): OpenSSL internal error, assertion failed: %s

%'%1$=%C%K%O%s%

.%.-.3.7.9.?.W.[.o.y.

C%C'C3C7C9COCWCiC

PEM part of OpenSSL 1.0.0d 8 Feb 2011

phrase is too short, needs to be at least %d chars

Enter PEM pass phrase:

TRUSTED CERTIFICATE

X509 CERTIFICATE

PKCS8_PRIV_KEY_INFO

pkey

pkeyalg

.\crypto\evp\evp_pkey.c

pubkey

enc_key

key_enc_algor

cert

d.encrypted

d.digest

d.signed_and_enveloped

d.enveloped

d.sign

d.data

d.other

NETSCAPE_CERT_SEQUENCE

certs

X509_PUBKEY

public_key

.\crypto\asn1\x_pubkey.c

DSA part of OpenSSL 1.0.0d 8 Feb 2011

priv_key

pub_key

.\crypto\ec\ec_key.c

EC_PRIVATEKEY

publicKey

privateKey

value.implicitlyCA

value.parameters

value.named_curve

p.char_two

p.prime

p.ppBasis

p.tpBasis

p.onBasis

p.other

Diffie-Hellman part of OpenSSL 1.0.0d 8 Feb 2011

supportedAlgorithms

crossCertificatePair

certificateRevocationList

cACertificate

userCertificate

userPassword

supportedApplicationContext

Microsoft Local Key set

LocalKeySet

id-Gost28147-89-None-KeyMeshing

id-Gost28147-89-CryptoPro-KeyMeshing

password based MAC

id-PasswordBasedMAC

X509v3 Certificate Issuer

certificateIssuer

certicom-arc

Proxy Certificate Information

proxyCertInfo

Microsoft Smartcardlogin

msSmartcardLogin

joint-iso-itu-t

JOINT-ISO-ITU-T

set-rootKeyThumb

setAttr-Cert

setCext-cCertRequired

setCext-certType

setct-CertResTBE

setct-CertReqTBEX

setct-CertReqTBE

setct-AcqCardCodeMsgTBE

setct-CertInqReqTBS

setct-CertResData

setct-CertReqTBS

setct-CertReqData

setct-PCertResTBS

setct-PCertReqData

setct-AcqCardCodeMsg

certificate extensions

set-certExt

set-msgExt

id-ecPublicKey

id-cmc-confirmCertAcceptance

id-cmc-getCert

id-regInfo-certReq

id-regCtrl-protocolEncrKey

id-regCtrl-oldCertID

id-it-revPassphrase

id-it-keyPairParamRep

id-it-keyPairParamReq

id-it-unsupportedOIDs

id-it-caKeyUpdateInfo

id-it-encKeyPairTypes

id-it-signKeyPairTypes

id-it-caProtEncCert

id-mod-attribute-cert

id-mod-qualified-cert-93

id-mod-qualified-cert-88

id-smime-aa-ets-certCRLTimestamp

id-smime-aa-ets-certValues

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-otherSigCert

id-smime-aa-smimeEncryptCerts

id-smime-aa-signingCertificate

id-smime-aa-encrypKeyPref

id-smime-aa-msgSigDigest

id-smime-ct-publishCert

id-smime-mod-msg-v3

sdsiCertificate

x509Certificate

localKeyID

certBag

pkcs8ShroudedKeyBag

keyBag

pbeWithSHA1And2-KeyTripleDES-CBC

pbeWithSHA1And3-KeyTripleDES-CBC

TLS Web Client Authentication

TLS Web Server Authentication

X509v3 Extended Key Usage

extendedKeyUsage

X509v3 Authority Key Identifier

authorityKeyIdentifier

X509v3 Certificate Policies

certificatePolicies

X509v3 Private Key Usage Period

privateKeyUsagePeriod

X509v3 Key Usage

keyUsage

X509v3 Subject Key Identifier

subjectKeyIdentifier

Netscape Certificate Sequence

nsCertSequence

Netscape CA Policy Url

nsCaPolicyUrl

Netscape Renewal Url

nsRenewalUrl

Netscape CA Revocation Url

nsCaRevocationUrl

Netscape Revocation Url

nsRevocationUrl

Netscape Base Url

nsBaseUrl

Netscape Cert Type

nsCertType

Netscape Certificate Extension

nsCertExt

extendedCertificateAttributes

challengePassword

dhKeyAgreement

Stack part of OpenSSL 1.0.0d 8 Feb 2011

value.single

value.set

?456789:;

!"#$%&'()* ,-./0123

lhash part of OpenSSL 1.0.0d 8 Feb 2011

RAND part of OpenSSL 1.0.0d 8 Feb 2011

You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html

%s: (%d bit)

Public-Key

Private-Key

recommended-private-length: %d bits

public-key:

private-key:

PKCS#3 DH Public-Key

PKCS#3 DH Private-Key

Public-Key: (%d bit)

Private-Key: (%d bit)

.\crypto\evp\evp_key.c

nkey

EVP part of OpenSSL 1.0.0d 8 Feb 2011

name.relativename

name.fullname

certificateHold

Certificate Hold

cessationOfOperation

Cessation Of Operation

keyCompromise

Key Compromise

%*s%s:

%*sOnly Attribute Certificates

%*sOnly CA Certificates

%*sOnly User Certificates

ASN.1 part of OpenSSL 1.0.0d 8 Feb 2011

d.registeredID

d.iPAddress

d.uniformResourceIdentifier

d.ediPartyName

d.directoryName

d.dNSName

d.rfc822Name

d.otherName

AUTHORITY_KEYID

keyid

cert_info

EC part of OpenSSL 1.0.0d 8 Feb 2011

.\crypto\dh\dh_key.c

USER32.DLL

NETAPI32.DLL

KERNEL32.DLL

ADVAPI32.DLL

ECDSA part of OpenSSL 1.0.0d 8 Feb 2011

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps