MD5: d094375369bf3179856f9e8b1cff2250
SHA1: 79d45891258589aadfcf62d420c85e9635d26f0a
SHA256: 71b75677febbaa0ead9a02dd79e8d4ea58e9bbae71a129e7645541311ef40266
SSDeep: 98304:UoroaJBXxQU7ddZL0lcDeQ/ohEBAlQVF9ZJs AAMztVnLsatrDMRZQNwVHrQU/k:noIBXWQ10ueQAIA8FLC VMztlLssrwro
Size: 6043648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: WNZXP
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

World of Tanks Hack v.6.0.exe:2000
%original file name%.exe:136
shuame_helper.exe:568
shuame_helper.exe:1852

The Trojan injects its code into the following process(es):

World of Tanks Hack.exe:2008
RootGenius.exe:1980

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process World of Tanks Hack v.6.0.exe:2000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\World of Tanks Hack.exe (3748 bytes)

The process %original file name%.exe:136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius.exe (34007 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\World of Tanks Hack v.6.0.exe (7386 bytes)

The process shuame_helper.exe:1852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\.android\adbkey (1 bytes)
%Documents and Settings%\%current user%\.android\adbkey.pub (732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\adb.log (38 bytes)

The process World of Tanks Hack.exe:2008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe (4545 bytes)

The process RootGenius.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\android_driver\devcon_x64.exe (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\v (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\rgs (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\upNew_RootGenius.exe.tmp.fd (256409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGenius.dll (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser.zip (3863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\busybox (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\android_driver\devcon_x86.exe (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\info (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\ddexe (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGenius.zip (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\su (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGeniusEx.zip (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\su1 (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\shuame_helper.exe (3811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Download\KingUser.tmp.fd (85886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\run_daemon (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\UpdateGenius.exe (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Application Data\Shuame\.clientid (327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8UT3N2QI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\Kinguser.apk (7666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\fakebackup.ab (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\AdbWinApi.dll (101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6SKZNAOD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\79KZR3GB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NE6NOXOX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\AdbWinUsbApi.dll (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\ku.sud (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\install-recovery.sh (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\toolbox (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\zlib1.dll (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\install (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Apk\StayAwake.apk (45 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\v (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGenius.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\su (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGeniusEx.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\ddexe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\install-recovery.sh (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\toolbox (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\Kinguser.apk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\install (0 bytes)

Registry activity

The process World of Tanks Hack v.6.0.exe:2000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 0A A4 A1 A5 95 34 15 8C 6F DC C8 07 67 32 CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"World of Tanks Hack.exe" = "Remote Service Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 48 58 F1 2D 72 F0 18 73 C6 C3 55 A0 24 81 AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"RootGenius.exe" = "RootGenius"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"World of Tanks Hack v.6.0.exe" = "Remote Service Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process shuame_helper.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 96 A1 0E 82 AF E8 B6 D9 C0 97 CF 4E 3B 55 33"

The process shuame_helper.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 F9 C4 58 3A F2 85 22 F1 E0 CB 8C 76 BA A1 21"

The process World of Tanks Hack.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 77 CF 67 C3 0C 79 49 D0 48 F9 00 75 60 79 A6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"msdcsc" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

The process RootGenius.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\RootGenius]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RootGenius.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 AB A9 D3 0F 8B B2 02 BA 70 8E CE 00 4B F9 0F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://root-lb.gz.1251001058.clb.myqcloud.com/v2/root/cfg?versionName=RootGenius&versionCode=77
hxxp://root-lb.gz.1251001058.clb.myqcloud.com/v2/root/update?versionName=RootGenius&versionCode=77
hxxp://p23.tcdn.qq.com/1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip
hxxp://down.qq.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe
hxxp://182.118.11.159/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c6868ce7f4ac34&f=8f5d&p=.exe
hxxp://42.56.65.16/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68689e7f4ac34&f=8f5d&p=.exe
hxxp://163.177.158.80/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68688e7f4ac34&f=d488&p=.exe
hxxp://153.37.232.46/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68689e7f4ac34&f=d388&p=.exe
hxxp://1251001058.cdn.myqcloud.com/1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip	42.56.65.20
hxxp://dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe	183.61.46.140
hxxp://api1.rootjl.com/v2/root/cfg?versionName=RootGenius&versionCode=77	203.195.128.118
hxxp://api1.rootjl.com/v2/root/update?versionName=RootGenius&versionCode=77	203.195.128.118

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip HTTP/1.1

Range: bytes=335269-440211

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 1251001058.cdn.myqcloud.com

Connection: Close

HTTP/1.1 206 Partial Content

Server: NWS_Appimg_HY

Connection: close

Date: Sun, 09 Aug 2015 00:36:14 GMT

Cache-Control: max-age=6000

Expires: Sun, 09 Aug 2015 02:16:14 GMT

Last-Modified: Mon, 27 Apr 2015 06:40:49 GMT

Content-Range: bytes 335269-440211/880425

Content-Type: application/zip

Content-Length: 104943

X-Cache-Lookup: Hit From Disktank
-.......,./...M.I.6}...._63..P-...Gz..lg.s$.^.s-w..qHU.<.......\...
....?.( .u..."....oO.3..v.d....G..D. ...E......}:a...Yf.7.... ;...;..e
......C......s....j.. h.,......O.,..-?.UWLrb.a...E.....K*...oJ....>
8.".o......fy..C.......D..8..q.K..4..............v.............S[.jE1Z
.}....Z{..=f...MR.....f .=G.m^......(x.<...`TW.....Yg.......-..Z_"l
].O. ...y...........1.}..."...&V.S...<......1.`.Qe..`e/....l..'..{-
\).|}......T..5..&H..E)4...;.w..wL.C0.......j.G.YK...p6McBI..*.......j
e4.R....QZ........K..)..Sb.f.a]...3..z....8. ."...r.....(DO...e.G..`.4
..(..:p..h..Y$n|..|....7..d"#.Bt....pyC..K.. ....fX.c..;.5.)..e..4.L..
..l.(6.zo.o..Y..av.....C.b.>Y;......S......1.........ro....x.#..4G.
i.5$....#.......U....'.o.....y.c.o.-.t#..uD....mX.jpG.....L...T.S...K.
t].........ub&WBf.6QY...L....*...'..6....".......k....r..3...1..B...z.
[email protected]|..N.[...Q....a...v%.....S.`sLC. .&q....W..
R...d..%O..tDA..>.Q.<I4.....S.7.b.....\.3.'.D. n.,..R......V..B.
..'y.H8.r..l.}.9...j.K.... .........h...c....y.8`. w..b.[...........!F
.w~~.Hg...^.5..#..}'x..D.c-#..R..o......6.....Z5......e?0....d...v...a
....X.-D.<[email protected]\f..'......a....tQEW{c.V....K[t......_......{
L..t...v......;u.Cc...........e#.`.r..V. ..u..Ks....V. .V.0|.YK..c_.n.
|B .}..[o2..............6..r.D.......5.>v\...b.F.z...m..Sc]..#xT...
o.}...[N...,........]..?q.g....p.l....E.E....i..X..1.. ....h.J.)..`mF.
...!.......*.w.D*.-.]..LDQ.9%.._...Yj7....B.....}.I|...<\}=..J....&
lt;.M..........I.....6..i......y>B..'[..8..a.......`...n.{..x1.
<<< skipped >>>

GET /files/RootGenius/2.4.1/RootGenius_2.4.1.exe HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

Connection: Close

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: dl.shuame.com

HTTP/1.1 302 Found

Server: nws 1.2.15

Connection: close

Date: Sun, 09 Aug 2015 00:36:09 GMT

Expires: Sun, 09 Aug 2015 00:36:09 GMT

Cache-Control: max-age=0

Content-Length: 65

Location: hXXp://182.118.11.159/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c6868ce7f4ac34&f=8f5d&p=.exe
The actual URL is '/files/RootGenius/2.4.1/RootGenius_2.4.1.exe'...

POST /v2/root/cfg?versionName=RootGenius&versionCode=77 HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

Connection: Close

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: api1.rootjl.com

Content-Length: 0

HTTP/1.1 200 OK

Server: openresty

Date: Sun, 09 Aug 2015 00:36:06 GMT

Content-Type: text/plain

Content-Length: 703

Connection: close
...I.....F.H.Xw.G?w...9.7Z.La....-.........r....w......x..dEr...r.F.Kb
...h.H.3Z...2T...T.j.PE...^.....Cv.e...v~V.:.s..)..'.HQn.NB.Cg. g..g~e
>.f.Nj2.#....*FM..-.F..FM.3^-f.y:V.v.Z.S...r..n..3f.G.Z..CF..MlEdS6
.*6N....|56EFM.(.n.p.../^...s..^..3N3f.......3'.g'.j.h2E.M.TF....n ..#
.A|=rJOL.(.z).F..F..K.Q:l......M9=..$..RbCEF.2E.j..FMl...B.GFBd..3..GO
...$.n.#E..jT.N......cS..E........BI.R.FL.BH..J...Q2.6O..$..\5FNM..t.r
.#M.=...I.....TtS..C......N.J..z..KPJH.K.....2.6BB\..9..N..H.t.*...E.j
l=...R.t....:...q...HRGGK^.B..j..ILl...B.GNv.t.5..6K.C.#.*..M..r.)...S
.d.'Ql..h.....N.J.JB.2.KR......dQ>.6*2.c...!J..H...f...O.nl.K.:.T..
..\S.....t...B..z.*.M6E.M.....J.nZz...#..GFE..c.2.c.h.*..O......d..SF.
<...dEr....

GET /dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68689e7f4ac34&f=d388&p=.exe HTTP/1.1

Range: bytes=3367408-5051111

Pragma: no-cache

Cache-Control: no-cache

Host: 153.37.232.46

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Connection: Close

HTTP/1.1 206 Partial Content

Server: 3Gdown_DK

Connection: close

Date: Sun, 09 Aug 2015 00:38:23 GMT

Cache-Control: max-age=2592000

Expires: Tue, 08 Sep 2015 00:38:23 GMT

Last-Modified: Mon, 03 Aug 2015 07:57:55 GMT

Content-Range: bytes 3367408-5051111/6734816

Content-Type: application/octet-stream

Content-Length: 1683704

X-Cache-Lookup: Hit From DiskTank Chunk Forward
.:..2.=. .(.'T.....1....l...W.g?Y..z2pKT.7....`B..t...O\Y...:.u...k$..
.H. R.......?..[.Y.$....%_...2. .r.$.J..0.P^..".o6...........Ti. F..7.
r...>.i.u.g....(.).91......O..O56...k`/v..@7..$...@G a??-..".kS..68
S.....$O .Hv...}.][email protected].......].
tB.....9......7.......S.....^..?......*..Y...EA\[email protected]
...1.v]....K...B....nQL.V...l....v.Y.l..h........G..L..........j{gw.pL
.U...N.7...!..u..l.>.........h..,.$........X..'jY.....YJU.?7 .{.-D.
Z.J8W..4.7:....}/,.9.b.....t.#..0....>{.A&....x.N..:.K..P......#...
..z........x."&..OS....^. ........~... R.-.b.L....n.(..on....D..g=....
...p..% ..i.4&.(....a.....E.....0.$.b....1.Z..5.zSJ......*s.l4...Mp.e@
..../E~....|...V.i.#\.\.}..S..u.-....:).~`.-.S.A......m..I).G..G....pr
U....9..G...X=..}d?>.Q....gO[.( ...d....uhV.~==...........&.j..9...
....M.S.|3.M........n....)K...3...6..........4.03......_l_....^_.6..g.
#....'.\........n*G..q.~TJ.....{o..u...9...F'|x.O.....Oi._.....X..xL.o
j.e...aY#..k7..w.P.}............3.#d...!PY.tqj...<A.....$&0w..'...e
"...n. ...F#Rl........E.......W.A.8..........y .A..**S.. R..w.U..j.`.&
gt;........`.................W......Q.y5K;.9B.|.....o8...D....d......1
..K.....`.6.!....u.\f.........Zc.V...:.YE...ljE.P....ChY.._.&$YG....C.
;$!.v(........<t...|...........X.....i.\HW...Jb.&.oK........5....(.
..5:4.../.\...........&...LoV.ab...ze=m.{R$.A.c9.PtoC.a."q_......lX..t
.0....-..9y.......7(Q*eB...}..A..)&...W....3...y.G..g.......R.K..a..._
WFvw&......[.....|-J<C..K...UC.B..$.k...O..Q....7}.5..It-T.UD..
<<< skipped >>>

GET /dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c6868ce7f4ac34&f=8f5d&p=.exe HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 182.118.11.159

Connection: Close

HTTP/1.1 200 OK

Server: 3Gdown_DK

Connection: close

Date: Sun, 09 Aug 2015 00:36:10 GMT

Cache-Control: max-age=2592000, s-maxage=10

Expires: Tue, 08 Sep 2015 00:36:10 GMT

Last-Modified: Mon, 03 Aug 2015 07:57:55 GMT

Content-Type: application/octet-stream

Content-Length: 6734816

X-Cache-Lookup: Hit From DiskTank Chunk Forward
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........9.!.X.r.X.r
.X.rd.yr.X.r..ar.X.r..^r.X.r.!^r.X.r. :r.X.r.._r.X.r. -r.X.r.X.r.Y.rO.
[r.X.rO.br.X.r..er.X.r.X)r.X.rO.`r.X.rRich.X.r........................
PE..L......U.................v...2b...................@...............
[email protected]...................
..`...........f.......f..7..................................`h..@.....
..................`....................text..._u.......v..............
.... ..`.rdata..2............z..............@[email protected]...,@............
[email protected].....`.......`.................@[email protected]..
[email protected]..........................................
......................................................................
......................................................................
......................................................................
.............................................y....`.D.t..I...t.Q..X.D.
...U...u.j..q...,.D.].....U...}..t..u.j..q.....D.].....U..3.9E.u..u...
...!9E.u..u....P.3....u..u.P.q...\.D.].....U...u.j..q...`.D.].....U..V
...S....E..t.V.i...Y..^][email protected]..
@.].....U...E..e...w....v..W...]..M...3.]...U...I...].`.3..A.B.....A..
.....U...E..V....t.D.t.V.....Y..^].....U...E..M.... .;.s..W...]....M..
.3.]...U..V.u.W.u........E.VP...V........|6.u..E.j.P..........|!.O..u.
......t.N.`[email protected]._^].....U..V.u.W.u........E.VP.......
<<< skipped >>>

GET /files/RootGenius/2.4.1/RootGenius_2.4.1.exe HTTP/1.1

Range: bytes=1683704-3367407

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: dl.shuame.com

Connection: Close

HTTP/1.1 302 Found

Server: nws 1.2.15

Connection: close

Date: Sun, 09 Aug 2015 00:36:12 GMT

Expires: Sun, 09 Aug 2015 00:36:12 GMT

Cache-Control: max-age=0

Content-Length: 65

Location: hXXp://42.56.65.16/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68689e7f4ac34&f=8f5d&p=.exe

Accept-Ranges: bytes

Content-Range: bytes 0-64/0
The actual URL is '/files/RootGenius/2.4.1/RootGenius_2.4.1.exe'...

GET /1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip HTTP/1.1

Range: bytes=660318-880424

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 1251001058.cdn.myqcloud.com

Connection: Close

HTTP/1.1 206 Partial Content

Server: NWS_Appimg_HY

Connection: close

Date: Sun, 09 Aug 2015 00:36:05 GMT

Cache-Control: max-age=6000

Expires: Sun, 09 Aug 2015 02:16:05 GMT

Last-Modified: Mon, 27 Apr 2015 06:40:49 GMT

Content-Range: bytes 660318-880424/880425

Content-Type: application/zip

Content-Length: 220107

X-Cache-Lookup: Hit From Disktank
(......K.K.`...$[...-.[.....(\.W.Q.O....G..-.n>..a,J...............
3...J.Z...h.V.[...s...es.gL....Su...8.*.:..>.0;F.. .....>.......
.b.gP..[....'...8c..KDvrv.*.7..g....Vj..d .{.?...E..=.#..L...5Oe.v".Vq
{....k7....Qn.M...C......?S%..aX....J...w....M.4..y..R.\..u).\O...x...
.'xI..;.pL..m...s...k.|.B.}...B.v{...d...Fy'....h...........~..O.zp..n
..&bo.u^'......u.0...u.....;~.......>.p..._..^......!.K.yd.WB......
...x_....J.rh..d...q6....2....-..../..h....bc..)7./.:...u....... ..*..
.L.y.;#.R6;..][email protected]..**.@_N.Hu...YN.bX.MQ.K.AH..!`.......N#....N
. .q.j>....k[.....u3o...X..BN...6.-.T.9....j[X'K..IT<l0...3._...
'....cQ.T..#R...][email protected]..~H..>.Y;..FD..........[U.S....`....
....w.Y.10......o........E7.'o-R...(.......s.K%*#..o.k.D,......d\?b...
..|.>28...._..O...x.........w.zj.......#.....w5.o..... :....3.....c
..*"(=...../........`[email protected]<&..t..X1X,.s......iy.8b...^.Lv.K.
.e".....[....O....G.a.J...a......D...rJ....7.C.D.....r...M...*....I.p.
....hg~..i....,l3... .C.w`X..aG$S.E.p.....2........T...D..jztm........
..$..R.~.6...*....^.... q{):......./K...E..l:-.Q.%.......wg"N...3.....
....w.I".*...Ej]-.........T|.mt.j{....( ......7?y.7r.fE...RG.....o....
..~N.....0y.*@. [email protected][email protected]&..Dz...d{..8.1.
I.N!r.X....z.mt.f6.....8...c.X|........\z>../...:.~'u..4}...J.`.).L
@.3.w.b.i....].<.=....,....K.K...5......V...H.~.Wr..@.. . X2.7._..=
dyY.......o5'}`../u..'dlj..jubP.........L.....'...sxX.H0...zcq^..{..D.
...,.si{.....J....,....<.O......kl....4..U.gb...e:...5i@.=.X.p.
<<< skipped >>>

GET /files/RootGenius/2.4.1/RootGenius_2.4.1.exe HTTP/1.1

Range: bytes=3367408-5051111

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: dl.shuame.com

Connection: Close

HTTP/1.1 302 Found

Server: nws 1.2.15

Connection: close

Date: Sun, 09 Aug 2015 00:36:12 GMT

Expires: Sun, 09 Aug 2015 00:36:12 GMT

Cache-Control: max-age=0

Content-Length: 65

Location: hXXp://153.37.232.46/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68689e7f4ac34&f=d388&p=.exe

Accept-Ranges: bytes

Content-Range: bytes 0-64/0
The actual URL is '/files/RootGenius/2.4.1/RootGenius_2.4.1.exe'...

GET /1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip HTTP/1.1

Range: bytes=440212-660317

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 1251001058.cdn.myqcloud.com

Connection: Close

HTTP/1.1 206 Partial Content

Server: NWS_Appimg_HY

Connection: close

Date: Sun, 09 Aug 2015 00:36:05 GMT

Cache-Control: max-age=6000

Expires: Sun, 09 Aug 2015 02:16:05 GMT

Last-Modified: Mon, 27 Apr 2015 06:40:49 GMT

Content-Range: bytes 440212-660317/880425

Content-Type: application/zip

Content-Length: 220106

X-Cache-Lookup: Hit From Disktank
l.9..".<w.(.Y.].FQ......#.....$.*@[email protected](...#$.....d<.
..dV........F.f.....o.%B.5...ref*j....w.c..J.g..........@..]......x..M
.4....S...Y.t.W!..P..y't.G.P..V.u..c.u<HATQ.)......Cz.|....0?y.....
p0......K.A..0v....w)...T.q....mx...UK=.../t.Z2..<..g...R..x..>.
.N=....L=.........W.....-..&..8..smII........r.]yoa..<..0..T...B.=.
..)RW.8.dcH.y......g......9u.*.V...S...J..r..C.:..........g.l..[..i..x
.%...M.....c..wD>.-...:.7.3<k......4.....Q.....5*....y4...(..`Zy
....-y.g..u... .......V..N.0..GK...h}.V.(".:...y....|.............3__.
4z.%....WC..k....(.....%..V/.-..v.....O*..].*......./.e....B.<|....
..P.x..........7...F....F.(.......O|.U.....F'..E)J.......3M..b....~..a
....c(.....SZ@|.vO.|l=.!...7../;M....8].muV..S0.(.'$S..I%...n...}.=.k.
U..<......dp2YM.t..1.mw5.m..V......e.ag_..3.!..` ....`.z......lM...
........X.L..7n....y...u..R...b... .i..H.\.........O..t./.....]....&..
.vb.....=...D.=.....q...b...hf.W.#8.vU$D\....}D.B\\3.e...g.M ..`!.....
.6IC.%......:UH0............p'h...w.....k/...a.83..(.....\..Bk.....%..
.....m/.T~.....!..}...-.n.>h..I...!.....0...x.K.l....!.hYP.....!\H}
.c.|....q....C.t.K.cE`...j....s.Q...E.:e..$so....?(S.....M.&%w...1.i]Y
0 [email protected]. .5U......X.2[Vi......5.UF..q8%.S....Jm..w.P?o._........}
.K..........Xp..1.....8~.{.{-8.z6.J.`\..ag..z$;_-%[email protected]@z=...!i
...t0i|...%....UD.(Y.o..uHn.{o............ @.}.H...|...o&jj...D.}K..y.
..3:c-&...3.vPLD<.T."zQS}...Bu^v.......>......~`....'Wez......y 
5t...~.9.?.I.........J15K.-D.f>1...>.......`....kx....c..D.c
<<< skipped >>>

GET /files/RootGenius/2.4.1/RootGenius_2.4.1.exe HTTP/1.1

Range: bytes=5051112-6734815

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: dl.shuame.com

Connection: Close

HTTP/1.1 302 Found

Server: nws 1.2.15

Connection: close

Date: Sun, 09 Aug 2015 00:36:13 GMT

Expires: Sun, 09 Aug 2015 00:36:13 GMT

Cache-Control: max-age=0

Content-Type: application/octet-stream

Content-Length: 0

Location: hXXp://163.177.158.80/dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68688e7f4ac34&f=d488&p=.exe

Accept-Ranges: bytes

Content-Range: bytes 0--1/0

POST /v2/root/update?versionName=RootGenius&versionCode=77 HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

Connection: Close

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: api1.rootjl.com

Content-Length: 239

...O..E.........zr.......2...-..K..i..K>.i..x...'..s.....p......J.rPOn..MFdP.S".??K~/..6.._i....#<4IO......S.d...........'.KSF.PZ..Mejc.c.>O.. .nr3.s.9^.vdf........h.N....................M8...C.2P.zI.........2.zl'..f..hH

..ryp..
2\...Q...
HTTP/1.1 200 OK

Server: openresty

Date: Sun, 09 Aug 2015 00:36:06 GMT

Content-Type: text/plain

Content-Length: 788

Connection: close
..<...bSc#Z$F....~..M2.B..d&..Uu...w..\z#....Fj...j.w...Q.n...p.LSl
#..d.d.J.....\..FKQ...L.c#-H2.#O....&5c...F.rH.j.......jc..$d.......Qc
.....|....N..y*...t'!I..-..#.mB!....Z*2h.G.t....H......d.nt...:..j.C.l
r..dZ.S.'.f......d-..p..n.pY../7#..'..5..s.z.....>.vs..f.f..4J.V8..
.2N.i>..$dp.hs..Nc..\Z!d8..ZFbE.j.(...8.....44.r.#.T.R.tr$J.....dCJ
..b.d.c4iK2.UF.cAL3.3:..7?;../..A....b....#......%.d&*#j..Ql...J..b.d.
c(%.Y.._.2.n7u3... ....;..w}.yg....32~x.%..&Q#.6(J.V8.dT>M..2.l(.c'
..\..q4.v7.....? ...n.t%....B...'$..vs.v.... .C..r.d.2E..6.d.c4iK2.UF.
c.^G.tY..;3K..f..'....#3.^ta...4#T.Sc.2.6.T....2E..6.d.c(%.Y....'.6z3g
...?73..?.255.y./..>.2vx.#.|...#jc...Y..T>...j.........=fr.7vz.'
3..'f/f.j...3....3..'w..\...4...G#^..R...BI..Z9.#4k!Hq.5.....7.s:...BB
..j.......7t.....x.....q.c..C.|s.\....

GET /dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68688e7f4ac34&f=d488&p=.exe HTTP/1.1

Range: bytes=5051112-6734815

Pragma: no-cache

Cache-Control: no-cache

Host: 163.177.158.80

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Connection: Close

HTTP/1.1 206 Partial Content

Server: 3Gdown_DK

Connection: close

Date: Sun, 09 Aug 2015 00:36:13 GMT

Cache-Control: max-age=0, s-maxage=10

Last-Modified: Mon, 03 Aug 2015 07:57:55 GMT

Content-Range: bytes 5051112-6734815/6734816

Content-Type: application/octet-stream

Content-Length: 1683704

X-Cache-Lookup: Hit From Disktank 
M.a....]..~.g..^...K.|....z........v.....Q..i.....*Y.T..|..U0V.E[c..._
]H..... 7..\....b......4......s._........u5E..^.....b~&.U...a.<....
,1...T......iL.....\..V...M..="..:.y.6.[.....E......'`E..U!....x.....w
y:..R'..j...S.^....Y..Dm7...A..>A....*.TA..r.Cv?W~.0.q.'c,W.{.NW...
..H.>H............&.B..m..?..{9A.a3..n0..S.m,..........}..=0...5..F
t.....X.-....DzE...g.....'.. ..h6....n..........fjk.Jt(4.]L.,...2....6
.u...Y;:FGWA.k...g.....]...=s..E.:G`*.b.T.:.V.t..7t.....&x.].C."..... 
......rh.(....Tp......%......Jh..O.>3UE..`$..:._.`t.W..3.........V@
..a.D.....X.|t..&.>........f.w:..b8...D.. ..M..,.f.........e.n2Uj}.
l.~a.{...x..{....b.....dr <...[.8gC.C...D`D...e..Js.....^.r...E....
.)....S...K.....bb~..!.p...V....SC..7b.r..Vd .w...8....2?...{^..../-\Z
..{....|..=..[....-.....y.........H...w. ^u...G...d<....][Y......&g
t;y..3._~yG..Qv...8....$\#[email protected],%4.S.\ZT4.^...
..,&;....m..lkI.&L=.. .n...>?.C.....S..R.8.VWN..'}(.u...}L.......8.
/..3..Y.........V)..;.i.P/...{o...:%.{>.O......AM.*..i..W,.m..KT.v.
.k.|{,..y...o..>....\.3........C..........L..^y_._.....$M%I..T.0...
.(.........iF.KLe&.<.7xL..g..5Y..R..cy.(....C.n..K*..aP..2....x9...
.g........:..R.O.b^..m?.......k.e.2.O ......F..T`..k.[g 0.....,.-.....
=..X.=q...v.r...2..3...CF.4Bo..E...!.2..........[Bj...m..,D.'....[....
Q........=.g<7....\...l...*.2........ Ah.......L._:.U..W...u.$=7.%.
[email protected]?BO...z....73r.P._.]B.P......-.....e>.a. .P'..........
...K.C.Ho.J.b.3;.rB.........W..:..Dxw....d?......k.b..._B...b....d
<<< skipped >>>

GET /1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip HTTP/1.1

Range: bytes=220106-440211

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 1251001058.cdn.myqcloud.com

Connection: Close

HTTP/1.1 206 Partial Content

Server: NWS_Appimg_HY

Connection: close

Date: Sun, 09 Aug 2015 00:36:05 GMT

Cache-Control: max-age=6000

Expires: Sun, 09 Aug 2015 02:16:05 GMT

Last-Modified: Mon, 27 Apr 2015 06:40:49 GMT

Content-Range: bytes 220106-440211/880425

Content-Type: application/zip

Content-Length: 220106

X-Cache-Lookup: Hit From Disktank
@......t...D...lc...u...W.)..T;?.....{....m)......"........'.. .......
..g. ;s.......nq.!........%%.[.J.J......Z.7..$.w.E3N......_.G..8.d.!*r
..-..|.R........;..`B...W...".......([.O.\';..j....".au~.3...f..w.Cnm.
..b8.........]..n9......=.....;......}.Ah.....2.7.z<.....v.BW... .U
HT....\..|.....w........h...E9d..;...Sb...Wn:.8.*LY#.].....e..'.N5.X
......O..pS.0`..U2. 8...D.v.>....OL9.........7.YJ...R........h...zf
j......)yx.6.....d.....:..,`......r.y.\...z.3......p.g..k..P..x*..P..$
M..........%A....X ..b.1.V..&X..*,B...?.o..~O..>..I<A(.......#8.
Z...dt..).H.s.;d..k..iDz>jL\.o[.2........s.?...3#D.28...C...6...0.8
...J....=...h...'.>.].[... .8.=..........X|..K...L..UK.wS....9...I.
.C?..O.....s..Ut=..4..~sf...^D..P.....)....p.s....k)..rM.....k....@ ..
.........PW}.:5.p..M..w..k....N....{.ts.O.._..NQ;.......:|s].......s8B
....w....,.M\[email protected]....}.V.........M....Z.......rx..U.q...
........F.dN...2..e......a.i...Q M.....,Z.B.(.?P.`U..{_..h..3...Kb.Q.j
....R.}Y7....w...j.;H5.$../....T?...I'G..~"xgL^AV.^...~..N(..dH...*...
...l]ud.....W.\........B...j..l.Qe4V..0..n./.....*l.= [.,.=......y.o.S
...]........b.....r.....M;M)D!.......U.>......v.)2T.0......4s.\%.j$
<2. ...}......\...Df..w.I...G.^WY.......].">.....a......t...(E..
~.P.F...|w#..,...oi.]..;[email protected]...%
.T...Y..$'Q....J...........`f..Y.s....I.........^...T..O.6P..Zi...y...
..r...5....Q.,t.......\.6..D.!C0U..w.ye.m.H9.k.W.0\....rX...~Y........
.;o...`..&$...W.1q9J..x......._..'. ........aE....._#..q\....L.@..
<<< skipped >>>

GET /1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip HTTP/1.1

Range: bytes=795191-880424

Pragma: no-cache

Cache-Control: no-cache

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 1251001058.cdn.myqcloud.com

Connection: Close

HTTP/1.1 206 Partial Content

Server: NWS_Appimg_HY

Connection: close

Date: Sun, 09 Aug 2015 00:36:15 GMT

Cache-Control: max-age=6000

Expires: Sun, 09 Aug 2015 02:16:15 GMT

Last-Modified: Mon, 27 Apr 2015 06:40:49 GMT

Content-Range: bytes 795191-880424/880425

Content-Type: application/zip

Content-Length: 85234

X-Cache-Lookup: Hit From Disktank
.....VLFa.......!..W.JY0...~.D..F......|/q......g.v264YB[..|......X...
.}..D:..t."...\.?/......N.wO.`.F....Z....T*8M:6\N..Bj.y/.....y..k ....
w7..fpDw]...dK.:d#w!.......D..u.......)..o...G1.m=n...<i.Xa......~.
^./0%M.......A....6...A.o....a...R....6Ta.A..}.....}0 %.u~m...!.\....q
@.o7SC/..!b.fF...]....RFi...m..A.....).!.....O.D2R..q..X.<....W!^..
.lW.C.R:...e..e..).3.....{[email protected].:.
...X.....*..4.WGD....w..P*.......?.SR...C.j....Xg....!.. .........].e.
..L.=......].z....T~.... ....`E.f.... {...."H........!....${......|...
.Y..(..}Q.B_.~.3s.....B=.r......].9...[......b......../...,..V)...G^.E
..j........g..............u.....l....?.S-...s.N.p.jv.......X...b......
e......J..e....Yu[pO.`=EO5..B.....w...%.-t.q...WP...8...>J.....&.#(
$.\y.......J.s.....X.!..8#..6..c=1'>.D.B..C....X.....].z....(......
[email protected]..;P...X.Uh..`..=.CH....d..&....A....Vgd[.c.&..`.OC.
3.o.7...;..~....v.2S6....dV?.2A...\t.. .)....3BlM..C...<.B.v......y
....]3F.....d4..G.w=.I#,(.L.n..0..%........2.. En.G..K^ i......a'...W.
$...N..:t.N\w$.e.jP.....=. .k....5k............x....=.l.SX.....N..JQ5G
%.^...^[email protected]...>.I...B......03...v<.....
.j...........g.\n@.<.l.4..5.....u...n..Y,..VpX..>.=..)..eA..4.h.
..P..8...Y.A.>.Q|..,.....E.....~)...C.....g1D........"....ÿ..m..(
......x-."~.VM...e..!......(..oH....rR,?g.=.[............?/.C...S.Z2.8
.3..fM&..p...M..")...i...cC.>_....E).$.."1...j|.\....(^.\.H..QNL..M
:M...Ofr.......Bj...N_....5........"........zW..x..a..3)0<.....
<<< skipped >>>

GET /dl.shuame.com/files/RootGenius/2.4.1/RootGenius_2.4.1.exe?mkey=55c68689e7f4ac34&f=8f5d&p=.exe HTTP/1.1

Range: bytes=1683704-3367407

Pragma: no-cache

Cache-Control: no-cache

Host: 42.56.65.16

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Connection: Close

HTTP/1.1 206 Partial Content

Server: 3Gdown_DK

Connection: close

Date: Sun, 09 Aug 2015 00:36:12 GMT

Cache-Control: max-age=0

Last-Modified: Mon, 03 Aug 2015 07:57:55 GMT

Content-Range: bytes 1683704-3367407/6734816

Content-Type: application/octet-stream

Content-Length: 1683704

X-Cache-Lookup: Hit From Disktank
.gfTD.J.Y....b.Q....a.... .eE.m7q...C....o. ..-....?..~.%^..U/..q.....
.......w.D.`*O.n..........2.s.....Y_Yo[.X..].t8....\.,.\../.g,..C.....
w.u_....X.D.g...7.v.I.....&]!.%....Z.h.9.....=...W.^,.Z|M ... ....8.KY
@wS...=..........I7;...o!..m..c..Ez.t...........vd......F...#!$...-..H
..4.y...F....F._.C..B{.......%nT..U.B.#...#%mG........fob..ho. ..~..M.
.vIPY.....R.{....X%..J...f.H... dt....Y)..>.....v...t@.:.<......
...P..6.=...........E.Dp....M.`k.....:....bbH0........Q.......tL.l-M.z
d6#. ..9....J...Q...ek.,.^.J.^..7..).p...Q..>i..1.z...).:.S8..&u.o7
........a......S....>......@......:.1........9.>8.@U..!._.... ..
MR.z.0.$S.g...8..... .;f.:.FB>....X...x..*....Me..7g.;.........3...
...oP..Rt....... .....\.......O..]..gvp...I.TaD/.g...P.MvP.[..W.D...)&
q..'...3o..._..3...I.)V;.h.....J-U....&v..8.U.D:.........2mW.._ZT.s.8.
[email protected]....,.. ...@.>....l..=......./....G}.x.A..o.z..,
D..1..I...1.(5o!....j:....o.....V...t...........Y....k.=.~..x.\..5U.8.
....,.-.qI7..h.U.6...<....u|.)6..w....4.....y....,..A@4.(e....[G...
.n.......$"0...n..}G..A..^..d|O*..`..K.40..}J..7.\\.~.ChMF.i.Hn..6....
...`...N.d11.Eb6....#.g..Ir.b....>.cp .VjU.......5.&l....Q..n..dR.l
H.%...EC..&...P.........Yy6f....([email protected]....._.,y.\...i..m.
...K\Y,..v.........'....}.]....'%....)Lr..liDp..........K..o|..p.'....
.%1Sg7...'.^...........q;.e..........&..;.4D...=z=U.z.o...4.....I..T..
...9.k.`..o}..........[.^..#%...|......../..#....Q/X...'"..c.H..?4..'.
.f...{.....|mU.l.vK...N...(p.iT^....>...........?Y........1...n
<<< skipped >>>

GET /1251001058/files/superuser/KingUser34-3.4.5.15-default-247334.zip HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

Connection: Close

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: 1251001058.cdn.myqcloud.com

HTTP/1.1 200 OK

Server: NWS_Appimg_HY

Connection: close

Date: Sun, 09 Aug 2015 00:36:04 GMT

Cache-Control: max-age=6000

Expires: Sun, 09 Aug 2015 02:16:04 GMT

Last-Modified: Mon, 27 Apr 2015 06:40:49 GMT

Content-Type: application/zip

Content-Length: 880425

X-Daa-Tunnel: hop_count=1

X-Cache-Lookup: Hit From Upstream

X-Cache-Lookup: Hit From Disktank
PK........Bx.D..JuG...B.......ddexe......N..>......(.i.......E.Z.z.
./....Z.m6/..'#.B%.....H...9-....&$..:.PK.........q.F....K...?.......i
nfozM...!..L...h.5..P.k...j.....0..=..B[........... ..1W...f.].>d=.
j(..R......PK..........IF.../............install .I..4%H.......v..>
.M.6..~3IJ63......S.._YX..a{|...E..>.[q.p.m{........NH'..FT...L.:r.
f.6.D.....,..*.'...M.EC.4Oj_.i...b._!"*[email protected]...
.N.<.].?P-1..}...(.... .....o...~....K*..DO.K....~...i..a....K.....
..}.8.9........s.2.../KnL.j.1...MRx......C.....>*!.....xvH n..N]8..
t}[.....~nU.h..\.......f.N........emD..Af.....=.f.f1.|....O..9....%}7h
..>2.k. . ...~ .T|.........O.T...V........0.!.q.i'.....|..C........
...q...g;..f.....k..-.G.E1.Ql..f.P...$H...*G=.f%.}.....C...2HD..5^..P.
.r,.A.4...M.b.b..}..S1;y.o@).au5....$... .D....B.].h.=)jB..dk.....t..y
...QD.o.......b...K..Lg.'....H...k.k..M&:..uGv...P..M<...?c..Yx%.;.
...2...=OI.$.....]@..u.r...8.. PK........H~:E....7... .......install-r
ecovery.sh..I.=..$.$....5=.P..*R:SJ<...dE.jK.zK.]..,L).....XD....PK
........w.TER...............Kinguser.apk.Xm=...I....Z........u...sy. .
........ ........0....l..KG.......|.U..L...2.V.{.j..m>....).4.....B
..c_.Pm.`[email protected]$V.T.Po.9.!.nX.V.L...
.3.sc.. ..d....J... ../........o"PQ].?.wGja.e.y._#...XK.9..k.5E......L
..\.......?.....l.$#M..{8.5.~b.p.1$..Z..Y..u?...S.....=_..s.u...R.Y.V.
.{..'.F.;p....G...7.F.........h..;..-'.Y.Q..G&.\#.......d9rtx.....H..-
.#su.Bh..T.P$}V....lHy...1....X.{.\_....g.(...u...HP.n....c....?..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

zlib1.dll

RootGenius.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

KERNEL32.dll

USER32.dll

SHLWAPI.dll

dbghelp.dll

GetProcessHeap

GetCPInfo

RootGeniusCaller.exe

zcÁ

tGHt.Ht&

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

1.2.5

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

inflate 1.2.5 Copyright 1995-2010 Mark Adler

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

<fd:%d>

GetConsoleOutputCP

unzOpenCurrentFilePassword

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

? ?$?(?,?0?4?~?

1 1$1(1,1

8"8'818?8

; ;<;@;`;

ddexe,

install-recovery.sh

Kinguser.apk

.Gw5ZU

.XV0:

.YN.l

.Xe2>

.KC4bE

O_v6&.HM

yL3^r.jn

.Cj3U

.UW}33

^%uD[U

Gn%S_

%d`}b

:z-%C)

.UrL$e

n2sQL

aP.Nj

.~.MP

q1.ki(

.nR]E

nGB%cY

kK.mh*

.wBo9LL

6.MDF

A3%C=

.RfJpP

4.NOX4

%\.XG

 ~%xIB 6

u.Bjz

<%u-?V

Do.Is

X.aXAf

}\.GKNV,n

R4ø

.arfJ

tMSG

d.gvs,

(%s$9

,%dQXQg

-d-Q.Mv

JB.BB

tcP "X

}:.XC

Q%u\k

s941@%X

J.LC5B

%u|ty

,Aq.oH

K-.SV

a-t}10

V.nwa</PU

.aW\;$d_R

F.Bwu

:-Os}g

X.xb1

\\Ê

]B/.eL %

&~KEy

Ad%u}

`>.js

,.XKr

ooY.XU9

!C)%sJ

.mAx[

P.fy2

8|%x>

\%Xe'\L

U'.mn

NE^%x

j.BM_

p.BQ}_

H.Idsb~

A.gS-

.pA5i

u2V#%U

v}.nJ

=B%xt

.asI T

%dG>vE

ddexe

AdbWinApi.dll.

#%5^!<{{

5(Ïz

'.rpI

64B`U%2S

AdbWinUsbApi.dllG

\ftPK6

android_driver/devcon_x64.exe

R.Rgv

n.knG

@.UDl

2sÐ

%c!coC

android_driver/devcon_x86.exe

Data/Apk/StayAwake.apk

B3?0sN%s

 .kK%

keYWb

J%XfQ

q.Lvf

K%STX

|h.Yh

`yb{%d

%S8G-

s.iUb

%CM#:

.Gh-BS

&%sZ{

N.JZu

DL6

.QY"T_ 

6j%s-

/P%dm

~G%s6

O%Ug{I

%c>D1

*%5UT

'=2 %S[N5

ib.eb

%uDa'

eHt%U

.hOW{}~j

.Cx/P

<%7Uk

LU.LqJ

al["x%s

B%c~`)

g{.IX

-6pk}*f

t[t%U

oW%d>/g

"$.Vs

i__%F

QR.gv

.wA q

%B.Fs

AgWeB

.JcT[

>O,.fr

_.bHh

%0xcB

o.pT4

Qk)Ü

;.UgK

d.fBsp5

).Bmd

.oXDn

4.tfw

"mSg\v=f

| 

P%f?#;7

-9}fW

%u-1.

1Q%dn6

]mJ.HKf-

jlÿ

Mz"%f

.hk`feN

.jMLm

u.QiV

%sk&yu

91.Rg

n0.Uq

`m.PSF

?T.IEu

f"%S\

Data/Bin/fakebackup.abspU

J%un}

.lHvO

.pN\oL

bO/.pks

2%CSBW

x=m%c

&,.jN

%sM\5

 ßr

&;*$;77,

%u8!{

t.Qz[

.GYf]P

D6.Os

(}G%c

.HFxT

.CvV]>2

6%f)(

fe>.xG

Ed-r6}

PC.JT

.lp0.

w.dRj

.xsG33/

u1bNv9c/%U

6/%U{;

k.no^J

.cUqD6p

G?6.ju

M$.sf

S%U(Sk

.vG3n}\

}L%c%

K.JH}

66.pWN

E.cMz>

xK]

[email protected]

9.%5x

.laX9

g7f-g}}

VO.HG

DI`.kfJ

ZGd.Ff

4y~#.QG

&.Oa#

/iW.oM

UA.ln~,

6%FQl

Ir4.sSHD/

B.uZa

P[V%F

<6.Cl_

4.ZW75o

k.Kk(

=%u#T

;:7%U

&Q.gL

J%UGO

m.TgL1

%fqN!

F.Dfu

y.JlLqOU

}F%6sq^l

P.Znb[

v.JYd

WtcP

.zTLoe

-.bca

%USpo

i^.Vz-

DXR61.nx0

.gFC^

~T.cBF

ý ~]

K5.KO@

DM.AbF'3

:<.OY@B,

.aCmL]

.nhos"

.GD=}#;[

;A^?%C;g

v|8%x~

N.lJV$

.Wx{,

:MSgCJ

]wY%S*

y.xnc`-

PB3Ñ

z-P}@

Tq.eM

%DPI>oR

.ib:\

.yVm-Y3O

u.SRTk)B

j.Amo

tPa.gFL

-%dVDq

t.ZbkW

ix.qQ

@yz.NSj6>

jVN~bÀ

E.vIWW

o.Ha/i

^J4Z|.kn*

=?bot%S

E_%sj

`1.cj

)Je.gh

MI.Ci

i.IqH

CC%xY

9.mA 

%uz!S

(=hr.AY

#%fWm

k:\KEe

NcsN%s

Q[%9xv

Z.ZM9

*%8uXl

x.fuRX

^.lp-M

=.XJ^q

%fTkI

.uxD8

/Ÿs

Ü,[ST

>.peG!|

hnHS.oU

Gg.ma

.vqV`

K2uJ.oG

.SGV-

A %C]

Tsi.JE^$

.tI!w

ul.EB=%1

%UNEwm

e:$.FW

vN-I}

.Gf!wx

j{%Ul

k)%sL

b~5O@%D^7

D.Ye0

0^*%U

s.bIl

2W.AZ

.GH|1

.NTL ZCg

M=.sJ

.Rzy/

aZ.fJ

ZC/;%FT

O%S},

| N%fq

%dN9 

.cLXK

L.Tjq{:

,RÚ

P(-K}

N .YI

R.EK)#

mSG2;

Enh%x

t1Y%U

.DRdK

.rp![<

aD.Wy

.vB 05q7

E.yRse

7.vp.

9.TafI

q.Vh1

%UT,2

Nh.NU 

R.JSp

Y2rU%D

=b.jbRo

6s.sH

g.Tn1

4~E.mA[

`u.Js

5%DsnZ

Dm%s7E4

j.pSfU

.uJQs

};z5.zC)Q

mI.zm

JF.bb

%%s0}fH

]\.Mg

J(.BPN

C$X%FJ

Ül:

.Nt=R

l\.lKG

i<Y.KH

Z%CnZ9

%UPDdr

Ml.dO j

).tD~

8h.Gd)

[.Eq_

Gl.TZ

Gq.Bqo{

shuame_helper.exe

.He b

sqlH

2gh=L.jPM

T.Qh:x

l.Km5Xv

6.zV;

.nhV'o

&.mAX

bTX#.DtREE"

q5%X^

 .Xa1U.

.SKZl

:(1.du

.GJ6}O

HLd!.tR

g~.JW

$d%SU(

.Tdx$

H.RqX

.wYtk

Q.lc4t7

%xJp]

.iu77

 xTM%S

Uev%F<[

}mu.JI

Z,6C%c

r.rhF`

.Jt4K

1E.NV

F$/.yPxx

-u.sw

)>.Rj

UpdateGenius.exe

bBM%U{v

AdbWinApi.dll

AdbWinUsbApi.dll

Data/Bin/fakebackup.ab

RootGenius.dllPK

RootGeniusEx.txtPK

RootGeniusEx.txt

/4%X)

'H%Sx

`)I%S

2%2*292`2

0 0$0(0,000

KERNEL32.DLL

mscoree.dll

RootGenius.zip

RootGeniusEx.zip

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RootGenius.exe

zlib.dll

ZLib.DLL

DLL support by Alessandro Iacopetti & Gilles Vollant

RootGenius.exe

World of Tanks Hack.exe_2008:

.text

`.itext

`.data

.idata

.rdata

@.reloc

B.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

%s_%d

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

%s, ClassID: %s

%s, ProgID: "%s"

ole32.dll

USER32.DLL

uxtheme.dll

DWMAPI.DLL

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

comctl32.dll

AutoHotkeysd-C

AutoHotkeys

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDownL

OnKeyPress

OnKeyUpH

GlassFrame.Bottom

GlassFrame.Enabled

GlassFrame.Left

GlassFrame.Right

GlassFrame.SheetOfGlass

GlassFrame.Top

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

Uh.ID

User32.dll

TKeyEvent

TKeyPressEvent

HelpKeyword nA

crSQLWait

%s (%s)

imm32.dll

TSocketPort

%d.%d.%d.%d

0.0.0.0

PSAPI.dll

TDCWebCam

127.0.0.1

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

1.2.3

127.0.0.1:1604

#KCMDDC51#-

5.3.0

cmd.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

hkey

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

*.torrent

\Internet Explorer\iexplore.exe

explorer.exe

wlanapi.dll

80211_SHARED_KEY

user32.dll

TUploadFTP

notepad.exe

KEYNAME

%ShortCut#

RELATEDCMD

ping 127.0.0.1 -n 4 > NUL && "

DRKey

CRKey

DelMSKey

InstallHKEY

ActiveOnlineKeylogger

UnActiveOnlineKeylogger

KeylogOn

ActiveOfflineKeylogger

UnActiveOfflineKeylogger

ActiveOnlineKeyStrokes

UnActiveOnlineKeyStrokes

OpenWebPage

tmpprint.txt

URLUpdate

MSGBOX

#BOT#VisitUrl

#BOT#OpenUrl

HTTP://

hXXp://

BTRESULTOpen URL|

Command successfully executed!|

#BOT#URLUpdate

BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|

BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|

#BOT#URLDownload

GetActivePorts

out.txt

tmp.txt

DDOSHTTPFLOOD

DDOSUDPFLOOD

%IPPORTSCAN

SAPI.SpVoice

WEBCAMLIVE

WEBCAMSTOP

PASSWORD

FTPFILEUPLOAD

URLDOWNLOADTOFILE

UPLOADEXEC

UPANDEXEC

FTPPORT

FTPPASS

FTPUSER

FTPHOST

FTPROOT

FTPUPLOADK

FTPSIZE

BTRESULTUDP Flood|UDP Flood task finished!|

PortScanAdd

BTRESULTVisit URL|finished to visit

BTERRORVisit URL|An exception occured in the thread|

POST /index.php/1.0

BTRESULTHTTP Flood|Http Flood task finished!|

Mozilla

BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|

BTERRORDownload File| Error on downloading file check if you type the correct url...|

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

ERR|Cannot listen to port, try another one..|

TCaptureWebcam

taskmgr.exe

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

DC3_FEXEC

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

Windows 95

Windows 98

Windows Me

S-%u-

FAKEMSG

MSGICON

MSGTITLE

MSGCORE

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetKeyboardType

keybd_event

VkKeyScanA

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

ExitWindowsEx

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

gdi32.dll

SetViewportOrgEx

version.dll

WinExec

PeekNamedPipe

GetWindowsDirectoryA

GetProcessHeap

GetCPInfo

CreatePipe

RegQueryInfoKeyA

RegOpenKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyA

wsock32.dll

shell32.dll

ShellExecuteExA

ShellExecuteA

SHFileOperationA

URLMON.DLL

URLDownloadToFileA

wininet.dll

InternetOpenUrlA

HttpQueryInfoA

FtpPutFileA

winmm.dll

netapi32.dll

gdiplus.dll

GdiplusShutdown

msacm32.dll

ntdll.dll

WS2_32.DLL

SHFolder.dll

SHELL32.DLL

AVICAP32.DLL

1!1,1=1|1

6 6$6(6,606

=!=$=)=-=1=

01m1

0 0$0(0,0004080<0@0

<!=$=)=-=4=

;"<?<_<|<

; ;$;(;,;0;4;8;<;@;

7 8$888<8

= =$=(=,=0=4=8=

UntKeylogger

KWindows

UntActivePorts

UntControlKey

UntCaptureWebcam

UntWebCam

UrlMon

(UntUploadFTPThread

UntFTP

_UntUDPFlood

YUntScanPorts

0UntPasswordAndData

XUntHTTPFlood

UntCPU

66006666

No help found for %s#No context-sensitive help installed

No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Invalid clipboard format Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Unsupported clipboard format

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to create key %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

No argument for format '%s'"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time

'%s' is not a valid GUID value

I/O error %d

1, 0, 0, 1

MSRSAAP.EXE

4, 0, 0, 0

shuame_helper.exe_1852:

.text

`.rdata

@.data

.rsrc

@.reloc

|$@3|$<3

3|$<3|$$

FtPS

tGHt.Ht&

Big Number part of OpenSSL 1.0.0d 8 Feb 2011

RSA part of OpenSSL 1.0.0d 8 Feb 2011

.\crypto\pem\pem_pkey.c

ENCRYPTED PRIVATE KEY

PRIVATE KEY

ANY PRIVATE KEY

%s PRIVATE KEY

CERTIFICATE REQUEST

NEW CERTIFICATE REQUEST

CERTIFICATE

passed a null parameter

DSO support routines

x509 certificate routines

error:lX:%s:%s:%s

ssl_sess_cert

ssl_cert

evp_pkey

x509_pkey

%s(%d): OpenSSL internal error, assertion failed: %s

%'%1$=%C%K%O%s%

.%.-.3.7.9.?.W.[.o.y.

C%C'C3C7C9COCWCiC

PEM part of OpenSSL 1.0.0d 8 Feb 2011

phrase is too short, needs to be at least %d chars

Enter PEM pass phrase:

TRUSTED CERTIFICATE

X509 CERTIFICATE

PKCS8_PRIV_KEY_INFO

pkey

pkeyalg

.\crypto\evp\evp_pkey.c

pubkey

enc_key

key_enc_algor

cert

d.encrypted

d.digest

d.signed_and_enveloped

d.enveloped

d.sign

d.data

d.other

NETSCAPE_CERT_SEQUENCE

certs

X509_PUBKEY

public_key

.\crypto\asn1\x_pubkey.c

DSA part of OpenSSL 1.0.0d 8 Feb 2011

priv_key

pub_key

.\crypto\ec\ec_key.c

EC_PRIVATEKEY

publicKey

privateKey

value.implicitlyCA

value.parameters

value.named_curve

p.char_two

p.prime

p.ppBasis

p.tpBasis

p.onBasis

p.other

Diffie-Hellman part of OpenSSL 1.0.0d 8 Feb 2011

supportedAlgorithms

crossCertificatePair

certificateRevocationList

cACertificate

userCertificate

userPassword

supportedApplicationContext

Microsoft Local Key set

LocalKeySet

id-Gost28147-89-None-KeyMeshing

id-Gost28147-89-CryptoPro-KeyMeshing

password based MAC

id-PasswordBasedMAC

X509v3 Certificate Issuer

certificateIssuer

certicom-arc

Proxy Certificate Information

proxyCertInfo

Microsoft Smartcardlogin

msSmartcardLogin

joint-iso-itu-t

JOINT-ISO-ITU-T

set-rootKeyThumb

setAttr-Cert

setCext-cCertRequired

setCext-certType

setct-CertResTBE

setct-CertReqTBEX

setct-CertReqTBE

setct-AcqCardCodeMsgTBE

setct-CertInqReqTBS

setct-CertResData

setct-CertReqTBS

setct-CertReqData

setct-PCertResTBS

setct-PCertReqData

setct-AcqCardCodeMsg

certificate extensions

set-certExt

set-msgExt

id-ecPublicKey

id-cmc-confirmCertAcceptance

id-cmc-getCert

id-regInfo-certReq

id-regCtrl-protocolEncrKey

id-regCtrl-oldCertID

id-it-revPassphrase

id-it-keyPairParamRep

id-it-keyPairParamReq

id-it-unsupportedOIDs

id-it-caKeyUpdateInfo

id-it-encKeyPairTypes

id-it-signKeyPairTypes

id-it-caProtEncCert

id-mod-attribute-cert

id-mod-qualified-cert-93

id-mod-qualified-cert-88

id-smime-aa-ets-certCRLTimestamp

id-smime-aa-ets-certValues

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-otherSigCert

id-smime-aa-smimeEncryptCerts

id-smime-aa-signingCertificate

id-smime-aa-encrypKeyPref

id-smime-aa-msgSigDigest

id-smime-ct-publishCert

id-smime-mod-msg-v3

sdsiCertificate

x509Certificate

localKeyID

certBag

pkcs8ShroudedKeyBag

keyBag

pbeWithSHA1And2-KeyTripleDES-CBC

pbeWithSHA1And3-KeyTripleDES-CBC

TLS Web Client Authentication

TLS Web Server Authentication

X509v3 Extended Key Usage

extendedKeyUsage

X509v3 Authority Key Identifier

authorityKeyIdentifier

X509v3 Certificate Policies

certificatePolicies

X509v3 Private Key Usage Period

privateKeyUsagePeriod

X509v3 Key Usage

keyUsage

X509v3 Subject Key Identifier

subjectKeyIdentifier

Netscape Certificate Sequence

nsCertSequence

Netscape CA Policy Url

nsCaPolicyUrl

Netscape Renewal Url

nsRenewalUrl

Netscape CA Revocation Url

nsCaRevocationUrl

Netscape Revocation Url

nsRevocationUrl

Netscape Base Url

nsBaseUrl

Netscape Cert Type

nsCertType

Netscape Certificate Extension

nsCertExt

extendedCertificateAttributes

challengePassword

dhKeyAgreement

Stack part of OpenSSL 1.0.0d 8 Feb 2011

value.single

value.set

?456789:;<=

!"#$%&'()* ,-./0123

lhash part of OpenSSL 1.0.0d 8 Feb 2011

RAND part of OpenSSL 1.0.0d 8 Feb 2011

You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html

%s: (%d bit)

Public-Key

Private-Key

recommended-private-length: %d bits

public-key:

private-key:

PKCS#3 DH Public-Key

PKCS#3 DH Private-Key

Public-Key: (%d bit)

Private-Key: (%d bit)

.\crypto\evp\evp_key.c

nkey <= EVP_MAX_KEY_LENGTH

EVP part of OpenSSL 1.0.0d 8 Feb 2011

name.relativename

name.fullname

certificateHold

Certificate Hold

cessationOfOperation

Cessation Of Operation

keyCompromise

Key Compromise

%*s%s:

%*sOnly Attribute Certificates

%*sOnly CA Certificates

%*sOnly User Certificates

ASN.1 part of OpenSSL 1.0.0d 8 Feb 2011

d.registeredID

d.iPAddress

d.uniformResourceIdentifier

d.ediPartyName

d.directoryName

d.dNSName

d.rfc822Name

d.otherName

AUTHORITY_KEYID

keyid

cert_info

EC part of OpenSSL 1.0.0d 8 Feb 2011

.\crypto\dh\dh_key.c

USER32.DLL

NETAPI32.DLL

KERNEL32.DLL

ADVAPI32.DLL

ECDSA part of OpenSSL 1.0.0d 8 Feb 2011

x%s

Basis Type: %s

Field Type: %s

ASN1 OID: %s

%s %s%lu (%s0x%lx)

MD5 part of OpenSSL 1.0.0d 8 Feb 2011

keylength

keyfunc

\X

ddddddZ

ddddddZ

%d.%d.%d.%d

<unsupported>

IP Address:%d.%d.%d.%d

URI:%s

DNS:%s

email:%s

EdiPartyName:<unsupported>

X400Name:<unsupported>

othername:<unsupported>

SHA1 part of OpenSSL 1.0.0d 8 Feb 2011

SHA-256 part of OpenSSL 1.0.0d 8 Feb 2011

SHA-512 part of OpenSSL 1.0.0d 8 Feb 2011

%d.%d.%d.%d/%d.%d.%d.%d

X509_CERT_PAIR

X509_CERT_AUX

X.509 part of OpenSSL 1.0.0d 8 Feb 2011

%s - d:d:d%.*s %d%s

keylen <= sizeof key

EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)

d.receiptList

d.allOrFirstTier

d.compressedData

d.authenticatedData

d.encryptedData

d.digestedData

d.envelopedData

d.signedData

d.ori

d.pwri

d.kekri

d.kari

d.ktri

CMS_PasswordRecipientInfo

keyDerivationAlgorithm

keyIdentifier

CMS_KeyAgreeRecipientInfo

recipientEncryptedKeys

CMS_OriginatorIdentifierOrKey

d.originatorKey

CMS_OriginatorPublicKey

CMS_RecipientEncryptedKey

CMS_KeyAgreeRecipientIdentifier

d.rKeyId

CMS_RecipientKeyIdentifier

CMS_OtherKeyAttribute

keyAttr

keyAttrId

CMS_KeyTransRecipientInfo

encryptedKey

keyEncryptionAlgorithm

certificates

d.crl

d.subjectKeyIdentifier

d.issuerAndSerialNumber

CMS_CertificateChoices

d.v2AttrCert

d.v1AttrCert

d.extendedCertificate

d.certificate

CMS_OtherCertificateFormat

otherCert

otherCertFormat

6%lu:%s:%s:%d:%s

Verifying - %s

'() ,-./:=?

%*sPolicy Text: %s

%*scrlUrl:

EXTENDED_KEY_USAGE

%*sZone: %s, User:

.\crypto\x509v3\v3_akey.c

d.usernotice

d.cpsuri

CERTIFICATEPOLICIES

%*sExplicit Text: %s

%*sNumber%s:

%*sOrganization: %s

%*sCPS: %s

PKEY_USAGE_PERIOD

keyCertSign

Certificate Sign

keyAgreement

Key Agreement

keyEncipherment

Key Encipherment

.\crypto\x509v3\v3_skey.c

CONF part of OpenSSL 1.0.0d 8 Feb 2011

PROXY_CERT_INFO_EXTENSION

hexkey

rsa_keygen_pubexp

rsa_keygen_bits

len>=0 && len<=(int)sizeof(ctx->key)

j <= (int)sizeof(ctx->key)

.\crypto\pkcs12\p12_key.c

crlUrl

certStatus

certId

OCSP_CERTSTATUS

value.unknown

value.revoked

value.good

value.byKey

value.byName

reqCert

OCSP_CERTID

issuerKeyHash

CONF_def part of OpenSSL 1.0.0d 8 Feb 2011

[[%s]]

[%s] %s=%s

ECDH part of OpenSSL 1.0.0d 8 Feb 2011

value.bag

value.safes

value.shkeybag

value.keybag

value.sdsicert

value.x509cert

value.other

%s.dll

Visual C   CRT: Not enough memory to complete call to strerror.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

Broken pipe

Inappropriate I/O control operation

Operation not permitted

GetProcessWindowStation

operator

transport

error: %s:

.\adb.cpp

%s::%s():

Error generating token ret=%d

send_auth_publickey

Calling send_auth_publickey

Failed to get user public key

parse_banner: %s

ro.product.name

ro.product.model

ro.product.device

handle_packet() %c%c%c%c

handle_packet: what is x?!

unknown local portname '%s'

cannot bind '%s'

adb.log

--- adb starting (pid %d) ---

CreatePipe() failure, error %ld

tcp:%d

bad host name %s

bad port number %s

%s:%d

already connected to %s

unable to connect to %s:%d

client: connected on remote on fd %d

connected to %s

unable to parse '%s' as <console port>,<adb port>

Invalid port numbers: Expected positive numbers, got '%s'

Emulator on port %d already registered.

Connected to emulator on ports %d,%d

Could not connect to emulator on ports %d,%d

transport-usb

transport-local

transport-any

transport:

OKAYx%s

%s:5555

No such device %s

%s@%s

%s.pub

write_public_keyfile

.\adb_auth_host.cpp

Failed to convert to publickey

Failed to open '%s'

Writing public key to '%s'

generate_key

generate_key '%s'

Failed to allocate key

Failed to write key

Failed to write public key

read_key

read_key '%s'

Failed to alloc key

Failed to read key

%s\%s

get_user_keyfilepath

home '%s'

.android

Cannot mkdir '%s'

adbkey

get_user_key

Error getting user key filename

user key '%s'

Failed to generate new key

ADB_VENDOR_KEYS

get_vendor_keys

Reading: '%s'

Can't read '%s'

Failed to read '%s'

adb_auth_sign len=%d

adb_auth_get_userkey

Can't load '%s'

%s: Content too large ret=%d

Failed to get user key

host:transport:%s

host:%s

switch_socket_transport

.\adb_client.cpp

Switch transport in progress

Switch transport failed

Switch transport success

protocol fault (status x x x x?!)

_adb_connect: %s

_adb_connect: return fd %d

adb_connect: service %s

* daemon not running. starting it now on port %d *

adb_connect: return fd %d

adb_query: %s

error: %s

/sdcard/tmp/%s

/data/local/tmp/%s

Android Debug Bridge version %d.%d.%d

connect <host>[:<port>] - connect to a device via TCP/IP

Port 5555 is used by default if no port number is specified.

disconnect [<host>[:<port>]] - disconnect from a TCP/IP device.

will disconnect from all connected TCP/IP devices.

tcp:<port>

adb jdwp - list PIDs of processes hosting a JDWP transport

adb install [-l] [-r] [-s] [--algo <algorithm name> --key <hex-encoded key> --iv <hex-encoded iv>] <file>

('--algo', '--key', and '--iv' mean the file is encrypted already)

adb bugreport - return all information from the device

that should be included in a bug report.

to "backup.ab" in the current directory.

(-apk|-noapk enable/disable backup of the .apks themselves

the -all or -shared flags are passed, then the package

adb tcpip <port> - restarts the adbd daemon listening on TCP on the specified port

1 or all, adb, sockets, packets, rwx, usb, sync, sysdeps, transport, jdwp

.\commandline.cpp

read_and_dump(): pre adb_read(fd=%d)

read_and_dump(): post adb_read(fd=%d): len=%d

copy_to_file(%d -> %d)

copy_to_file() : error %d

stdin_read_thread(): pre unix_read(fdi=%d,...)

stdin_read_thread(): post unix_read(fdi=%d,...)

host-serial:%s:%s

%s:%s

* failed to write data '%s' *

sending: '%s' M%%

* error response '%s' *

* cannot read '%s' *

%c[2J%c[2H

State: %s

error: adb %s not implemented on Win32

shell:export ANDROID_LOG_TAGS="%s" ; exec logcat

./backup.ab

adb: -f passed with no filename

adb: unable to open file %s

backup. filename=%s buf=%s

Now unlock your device and confirm the backup operation.

Now unlock your device and confirm the restore operation.

%s\config\envsetup.make

adb: bad ANDROID_BUILD_TOP value "%s"

adb: bad TOP value "%s"

adb: Couldn't get CWD: %s

%s\out\target\product\%s

adb: Couldn't find a product dir based on "-p %s"; "%s" doesn't exist

ANDROID_ADB_SERVER_PORT

adb: Env var ANDROID_ADB_SERVER_PORT must be a positive number. Got "%s"

adb: could not resolve "-p %s"

host:%s%s

Usage: adb connect <host>[:<port>]

host:connect:%s

Usage: adb disconnect [<host>[:<port>]]

host:disconnect:%s

shell:%s

interactive shell loop. buff=%s

about to read_and_dump(fd=%d)

interactive shell loop. return r=%d

tcpip

bugreport

failure: %s *

host-serial:%s:forward:%s;%s

host-usb:forward:%s;%s

host-local:forward:%s;%s

host:forward:%s;%s

If you truly wish to continue, execute 'adb shell pm uninstall -k %s'

can't find '%s' to install

can't install '%s' because it's not a file

--key

error: could not connect to TCP port %d

cannot open '%s': %s

cannot read '%s': %s

error seeking in file '%s'

could not allocate buffer for '%s'

error reading from file: '%s'

file '%s' is not a valid zip file

AndroidManifest.xml

file '%s' does not contain AndroidManifest.xml

failed to copy '%s' to '%s': %s

cannot create '%s': %s

cannot write '%s': %s

x x x %s

%s%s/

cannot stat '%s': %s

skipping special file '%s'

%spush: %s -> %s

%d file%s pushed. %d file%s skipped.

%s/%s

pull: %s -> %s

%d file%s pulled. %d file%s skipped.

remote object '%s' does not exist

remote object '%s' not a file or directory

syncing %s...

.\services.cpp

service thread started, %d:%d

wait_for_state %d

FAILx

.\sockets.cpp

LS(%d): enqueue %d

LS(%d): not ready, errno=%d: %s

LS(%d): destroying fde.fd=%d

LS(%d): discarding %d bytes

entered. LS(%d) fd=%d

LS(%d): closing peer. peer->id=%d peer->fd=%d

LS(%d): closed

LS(%d): closing

LS(%d): put on socket_closing_list fd=%d

LS(%d): event_func(fd=%d(==%d), ev=x)

closing after write because r=%d and errno is %d

LS(%d): post adb_read(fd=%d,...) r=%d (errno=%d) avail=%d

LS(%d): fd=%d post avail loop. r=%d is_eof=%d forced_eof=%d

LS(%d): fd=%d post peer->enqueue(). r=%d

closing because is_eof=%d r=%d s->fde.force_eof=%d

LS(%d): FDE_ERROR (fd=%d)

LS(%d): created (fd=%d)

LS(%d): bound to '%s' via %d

LS(%d) bound to '%s'

entered remote_socket_enqueue RS(%d) WRITE fd=%d peer.fd=%d

entered remote_socket_ready RS(%d) OKAY fd=%d peer.fd=%d

entered remote_socket_close RS(%d) CLOSE fd=%d peer->fd=%d

RS(%d) peer->close()ing peer->id=%d peer->fd=%d

RS(%d): closed

remote_socket_disconnect RS(%d)

RS(%d): created

Connect_to_remote call RS(%d) fd=%d

LS(%d): connect('%s')

SS(%d): enqueue %d

SS(%d): overflow

SS(%d): bad size (%d)

SS(%d): len is %d

SS(%d): waiting for %d more bytes

SS(%d): '%s'

SS(%d): handled host service '%s'

SS(%d): okay transport

SS(%d): couldn't create host service '%s'

SS(%d): okay

SS(%d): ready

SS(%d): closed

SS(%d): created %p

.\sysdeps_win32.cpp

load_file: could not read %ld bytes from '%s'

_fh_from_int: invalid fd %d

adb_read: could not read %d bytes from %s

adb_file_write: could not write %d bytes from %s

adb_open: could not open '%s':

%d(%s)

adb_open: '%s' => fd %d

adb_creat: could not open '%s':

adb_creat: '%s' => fd %d

adb_shutdown: %s

adb_close: %s

_socket_set_errno: unhandled value %d

socket_loopback_client: could not connect to %s:%d

%d(lo-client:%s%d)

socket_loopback_client: port %d type %s => fd %d

%d(lo-server:%s%d)

socket_loopback_server: port %d type %s => fd %d

%d(net-client:%s%d)

socket_network_client: host '%s' port %d type %s => fd %d

%d(any-server:%s%d)

socket_inaddr_server: port %d type %s => fd %d

adb_socket_accept: invalid fd %d

adb_socket_accept: accept on fd %d return error %ld

%d(accept:%s)

adb_socket_accept on fd %d returns fd %d

bip_buffer_write: error %d->%d WaitForSingleObject returned %d, error %ld

assertion failed '%s' on %s:%ld

bip_buffer_read: error %d->%d WaitForSingleObject returned %d, error %ld

adb_socketpair: not enough memory to allocate pipes

%d(pair:%d)

adb_socketpair: returns (%d, %d)

event_looper_hook: invalid fd=%d

event_looper_hook: call hook for %d (new=%x, old=%x)

event_looper_hook: ignoring events %x for %d wanted=%x)

event_looper_unhook: events %x not registered for fd %d

Unable to allocate thread array for %d handles.

Unable to create main event. Error: %d

Unable to create a waiting thread %d of %d. errno=%d

fdevent_update: remove %x from %d

fdevent_update: add %x to %d

adb_win32: waiting for %d events

handle count %d exceeds MAXIMUM_WAIT_OBJECTS.

adb_win32: got one (index %d)

adb_win32: signaling %s for %x

bogus negative fd (%d)

bogus huuuuge fd (%d)

could not expand fd_table to %d entries

fd out of range (%d)

_event_socket_start: no event for %s

_event_socket_start: hooking %s for %x (flags %ld)

_event_socket_start: WSAEventSelect() for %s failed, error %d

_event_socket_check %s returns %d

_event_socketpair_start: hook %s for %x wanted=%x

run_transport_disconnects

.\transport.cpp

%s: run_transport_disconnects

%s: %s: [%s] arg0=%s arg1=%s (len=%d)

fd=%d

%s: read_packet (fd=%d), error ret=%d errno=%d: %s

%s: write_packet (fd=%d) error ret=%d errno=%d: %s

transport_socket_events

transport_socket_events(fd=%d, events=x,...)

%s: failed to read packet from transport socket on fd %d

Transport is null

Transport is null

cannot enqueue packet on transport socket

%s: starting transport output thread on fd %d, SYNC online (%d)

%s: failed to write SYNC packet

%s: data pump started

%s: received remote packet, sending to transport

%s: failed to write apacket to transport

%s: remote read failed for transport

%s: SYNC offline for transport

%s: failed to write SYNC apacket to transport

%s: transport output thread is exiting

%s: starting transport input thread, reading from fd %d

%s: failed to read apacket from transport on fd %d

%s: transport SYNC offline

%s: transport SYNC online

%s: transport ignoring SYNC %d != %d

%s: transport got packet, sending to remote

%s: transport ignoring packet while offline

%s: transport input thread is exiting, fd %d

transport_read_action

transport_read_action: on fd %d, error %d: %s

transport_write_action

transport_write_action: on fd %d, error %d: %s

cannot read transport registration socket

transport_registration_func

transport: %s removing and free'ing %d

cannot open transport socketpair

transport: %s (%d,%d) starting

cannot open transport registration socketpair

register_transport

transport: %s registered

cannot write transport registration socket

remove_transport

transport: %s removed

transport_unref_locked

transport: %s unref (kicking and closing)

transport: %s unref (count=%d)

%s%n%s

%-22s %s

register_socket_transport

transport: %s init'ing for socket %d, on port %d

register_usb_transport

transport: %p init'ing for usb_handle %p (sn='%s')

readx: fd=%d wanted=%d

readx: fd=%d error %d: %s

readx: fd=%d disconnected

readx: fd=%d wanted=%d got=%d

writex: fd=%d len=%d:

writex: fd=%d error %d: %s

writex: fd=%d disconnected

check_header(): %d > MAX_PAYLOAD

.\transport_local.cpp

local_connect_arbitrary_ports

transport: client_socket_thread() starting

transport: server_socket_thread() starting

server: trying to get new connection from %d

server: new connection on fd %d

transport: local %s init

cannot create local socket %s thread

init_socket_transport

local transport for port %d already registered (%p)?

cannot register more emulators. Maximum is %d

.\transport_usb.cpp

init_usb_transport

transport: usb

adb_usb.ini

Invalid content in %s. Quitting.

%s\%s\%s

.\usb_windows.cpp

usb_write %d

usb_write got: %ld, expected: %d

usb_write failed: %d

usb_read %d

usb_write got: %ld, expected: %d, errno: %d

usb_read failed: %d

adding a new device %s

register_new_device failed for %s

1.3.6.1.4.1.311.2.1.12

Zip EOCD: expected >= %d bytes, found %d

EOCD(%d)   comment(%d) exceeds len (%d)

Length is %d -- too small

Archive spanning not supported

WS2_32.dll

AdbWinApi.DLL

CreatePipe

KERNEL32.dll

USER32.dll

ReportEventA

ADVAPI32.dll

SHELL32.dll

CryptMsgClose

CertGetNameStringW

CertFreeCertificateContext

CertFindCertificateInStore

CertCloseStore

CertGetNameStringA

CryptMsgGetParam

CRYPT32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RootGenius\shuame_helper.exe

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

>">)>.>3>8>^>

5.53585=5

;/;4;9;];

-0@0`0|0

0 0$0(0,0

:"=0=4=8=<=@=

> >$>(>,>0>4>8>

00L0~0

6 6@6`6|6

7 7<7@7`7

mscoree.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   World of Tanks Hack v.6.0.exe:2000
   %original file name%.exe:136
   shuame_helper.exe:568
   shuame_helper.exe:1852
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\World of Tanks Hack.exe (3748 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius.exe (34007 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\World of Tanks Hack v.6.0.exe (7386 bytes)
   %Documents and Settings%\%current user%\.android\adbkey (1 bytes)
   %Documents and Settings%\%current user%\.android\adbkey.pub (732 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\adb.log (38 bytes)
   %Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe (4545 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\android_driver\devcon_x64.exe (87 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\v (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\rgs (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\upNew_RootGenius.exe.tmp.fd (256409 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGenius.dll (22433 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser.zip (3863 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\busybox (5442 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\android_driver\devcon_x86.exe (83 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\info (63 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\ddexe (132 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGenius.zip (23407 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\su (80 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\RootGeniusEx.zip (166 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\su1 (96 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\shuame_helper.exe (3811 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Download\KingUser.tmp.fd (85886 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\run_daemon (13 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\UpdateGenius.exe (79 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Application Data\Shuame\.clientid (327 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8UT3N2QI\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\Kinguser.apk (7666 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Bin\fakebackup.ab (61 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\AdbWinApi.dll (101 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6SKZNAOD\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\79KZR3GB\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NE6NOXOX\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\AdbWinUsbApi.dll (66 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\ku.sud (46 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\install-recovery.sh (85 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Superuser\toolbox (286 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\zlib1.dll (187 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RootGenius\Data\Apk\StayAwake.apk (45 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "msdcsc" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.