Analysis Date2014-08-22 03:56:33
MD574da0355335d8703211cada9783e514e
SHA119c9f6ed5883073459b7adc5592ec6f9985a84db

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 812f9d50145009f39fea45a2d71c42be sha1: 3548ae14314cdefbfc1ba13182af7fb6d37450df size: 60928
Section.sdata md5: 09f20f04455f690e42e41506edc62fb7 sha1: 7d1f8e5e7045bfe9cf6256fb6a6a5d27c7556431 size: 512
Section.rsrc md5: fd06b3c4cdf7d76c1762363bc5b1040c sha1: 80934f6265db7ce0e6d294c8a736b662311d2f7b size: 39424
Section.reloc md5: 2ccfe4f581013d3a9dfb50fda0c80042 sha1: 06e5935f591558f42e1af0c32a8ba40b45547ebb size: 512
Timestamp2013-01-30 10:45:25
Pdb pathC:\Users\ulti\Desktop\ZombieTag Loader\ZombieTag Loader\obj\x86\Debug\cpu hack.pdb
VersionLegalCopyright: Copyright © 2013
Assembly Version: 1.0.0.0
InternalName: cpu hack.exe
FileVersion: 1.0.0.0
ProductName: ZombieTag Loader
ProductVersion: 1.0.0.0
FileDescription: ZombieTag Loader
OriginalFilename: cpu hack.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash580c1d9e98b0b64b26b02c1567ff93e479112521
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

Network Details:


Raw Pcap

Strings
D...
.
..U
000004b0
1.0.0.0
1: Open launcher
  2013
2: Login
3: Start
4: Enjoy :D
7}7|
Assembly Version
btnConnect
Checking Version
Copyright 
Cpu 
cpu hack.exe
Cpu hack v0.2
cpu_Loader.Resources
C:\windows\cputag
Done
Downloading file please wait
FileDescription
FileVersion
Form1
Form2
Form3
GroupBox1
GroupBox1.BackgroundImage
http://cpu.zz.mu/Guide%20System.txt
http://cpu.zz.mu/loader.php
http://cpu.zz.mu/PHO-NakedChams-v2.dll
http://zombietag.name/loader.php?ver
InternalName
Kernel32
Label1
Label2
Label3
Label4
LegalCopyright
LoadLibraryA
Login
opening..
OriginalFilename
Password
Please Login your lnlgaming.us account to proceed
Please Wait
Processing
processorID
ProductName
ProductVersion
ProgressBar1
Property can only be set to Nothing
Sorry not Active
specialforce
StringFileInfo
Success
TextBox1
TextBox2
Theres a new version
$this.BackgroundImage
$this.Icon
Translation
txtHWID
Username
VarFileInfo
VS_VERSION_INFO
Waiting...
win32_processor
WinForms_RecursiveFormCreate
WinForms_SeeInnerException
Your Guide:
ZombieTag Loader
/ #'),,,
%,,,,,,,,,,,,,,,,0,,,,),,,-,,,,4,,,,,,,,,,,,,,,,,,,
{0D+I5
1.0.0.0
>133saaa
150*5&+,)
1z.D-H
2.0.0.0
  2013
^3}CVH
3System.Resources.Tools.StronglyTypedResourceBuilder
,'3)tu
4System.Web.Services.Protocols.SoapHttpClientProtocol
5=aPu3
6lmmSn
6MzQ|cu
79vb{o
8.0.0.0
86}rT*0
8	me${
9.0.0.0
9{,E,,
9r7.*0;7
AccessedThroughPropertyAttribute
Activator
AddAnnotation
add_Click
add_DownloadFileCompleted
add_DownloadProgressChanged
add_DownloadStringCompleted
addedHandler
addedHandlerLockObject
add_Enter
add_Load
add_Shutdown
add_TextChanged
add_Tick
ahX,Ph
Annotation
Application
ApplicationSettingsBase
ArgumentException
</assembly>
Assembly
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AsyncCompletedEventArgs
AsyncCompletedEventHandler
Attribute
attributes
AttributeValue
AuthenticationMode
AutoSaveSettings
AutoScaleMode
B3k@tt-|
$b6f50c90-1c9b-4f6d-a475-267bc7f15f46
bInheritHandle
<b`mGS
BpMYpS#
btnConnect
_btnConnect
btnConnect_Click
Button
ButtonBase
{c3aXi
.cctor
c,D5nC
CheckForSyncLockOnValueType
ClearProjectError
CloseHandle
CloseHandleA
CompareString
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
Component
ComponentResourceManager
components
Computer
ComVisibleAttribute
Concat
Container
ContainerControl
Contains
ContainsKey
ContentAlignment
Control
ControlCollection
Conversions
Copyright 
_CorExeMain
cpu hack
cpu hack.exe
cpuInfo
cpu_Loader
cpu_Loader.Form1.resources
cpu_Loader.Form2.resources
cpu_Loader.Form3.resources
cpu_Loader.My
cpu_Loader.My.Resources
cpu_Loader.Resources.resources
Create
CreateAttribute
CreateDirectory
CreateInstance
Create__Instance__
CreateNamespaceAttribute
CreateRemoteThread
c)s:_~K:( V2
Culture
CultureInfo
C:\Users\ulti\Desktop\ZombieTag Loader\ZombieTag Loader\obj\x86\Debug\cpu hack.pdb
d%	2+!*![(
DebuggableAttribute
DebuggerHiddenAttribute
DebuggerNonUserCodeAttribute
DebuggerStepThroughAttribute
DebuggingModes
Default
defaultInstance
Delete
DesignerGeneratedAttribute
Directory
DirectoryInfo
Dispose
Dispose__Instance__
disposing
dl2_DownloadFileCompleted
dl2_DownloadProgressChanged
dl_DownloadProgressChanged
dl_DownloadStringCompleted
DoEvents
download
DownloadFileAsync
DownloadProgressChangedEventArgs
DownloadProgressChangedEventHandler
DownloadString
DownloadStringAsync
DownloadStringCompletedEventArgs
DownloadStringCompletedEventHandler
dVBT%,
dwCreationFlags
dwDesiredAccess
dwProcessId
dwSize
dwStackSize
%e}}=[]]
EditorBrowsableAttribute
EditorBrowsableState
__ENCList
Enumerable
E|#!*o
Equals
	 E}T1
EventArgs
EventHandler
Exception
Exists
ExtensionAttribute
""|-Ez
F#(\6N
filename
FindWindow
FindWindowA
flAllocationType
FlatStyle
flProtect
F-, M5
Form1_Load
Form2_Load
FormBorderStyle
FormStartPosition
Func`2
GeneratedCodeAttribute
get_Application
get_Assembly
get_AttributeValue
get_Blue
get_btnConnect
get_Computer
get_Controls
get_Count
get_Culture
get_Current
get_Cyan
get_Default
get_dl
get_dl2
get_ElapsedMilliseconds
GetEnumerator
get_FirstAttribute
get_Form1
get_Form2
get_Form3
get_Forms
get_Fuchsia
get_GetInstance
get_GroupBox1
GetHashCode
GetHWID
get_Id
getinfo
get_InnerException
GetInstance
GetInstances
get_IsDisposed
get_IsNamespaceDeclaration
get_Item
get_Label1
get_Label2
get_Label3
get_Label4
get_LocalName
get_Message
GetModuleHandle
GetModuleHandleA
get_Name
get_NamespaceName
get_NextAttribute
GetObject
GetObjectValue
GetProcAddress
GetProcessesByName
get_ProgressBar1
get_ProgressPercentage
get_Properties
get_Red
get_ResourceManager
GetResourceString
GetResponse
GetResponseStream
get_Result
get_SaveMySettingsOnExit
get_Settings
get_TextBox1
get_TextBox2
get_Timer1
get_Transparent
get_txtHWID
GetType
GetTypeFromHandle
get_UseCompatibleTextRendering
get_User
get_Value
get_WebServices
get_White
g	kv8~
G[OT	:n
GPmaQ7
GroupBox
GroupBox1
_GroupBox1
	GroupBox1
GroupBox1_Enter
GuidAttribute
Hashtable
height
HelpKeywordAttribute
.Hhem^
hIDATg
HideModuleNameAttribute
hModule
hObject
hProcess
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3afSystem.Drawing.Icon, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPADPBj
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
HttpWebRequest
HttpWebResponse
IButtonControl
IconData
IconSize
IContainer
IDAThC
IDisposable
IEnumerable
IEnumerable`1
IEnumerator
IEnumerator`1
InitializeComponent
Inject
inScopeNs
inScopePrefixes
instance
Instance
Interaction
InternalXmlHelper
interval
InvalidOperationException
IWebProxy
?J'+0A
kernel32
Kernel32
kGppz]?,N
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
>L6}?J)
Label1
_Label1
Label2
_Label2
Label3
_Label3
Label4
_Label4
List`1
/LMLmo
LoadLibrary
LoadLibraryA
?LOO?\(
lpAddress
lpBaseAddress
lpBuffer
lpClassName
lpLibFileName
lpModuleName
lpNumberOfBytesWritten
lpParameter
lpProcName
lpStartAddress
lpThreadAttributes
lpThreadId
lpWindowName
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
\$^.LVS1J
;M2,,"
ManagementBaseObject
ManagementClass
ManagementObject
ManagementObjectCollection
ManagementObjectEnumerator
m_AppObjectProvider
m_attributes
m_ComputerObjectProvider
MEM_COMMIT
m_Form1
m_Form2
m_Form3
m_FormBeingCreated
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
m_inScopeNs
m_inScopePrefixes
m_MyFormsObjectProvider
m_MyWebServicesObjectProvider
<Module>
Monitor
MoveNext
mscoree.dll
mscorlib
MsgBox
MsgBoxResult
MsgBoxStyle
m_ThreadStaticValue
m_UserObjectProvider
MyApplication
My.Application
MyComputer
My.Computer
MyForms
My.Forms
MyGroupCollectionAttribute
My.MyProject.Forms
MyProject
MySettings
My.Settings
MySettingsProperty
MyTemplate
My.User
MyWebServices
My.WebServices
:n:sA7
o@B#]|
Object
ObjectFlowControl
;Oh[PE0%
OnCreateMainForm
OpenProcess
op_Equality
Operators
op_Explicit
=OW:EPy
o)ZcG%
+P 04Db
PADPADP
PAGE_READWRITE
PerformLayout
pfnStartAddr
p(q(i6.
Process
PROCESS_CREATE_THREAD
ProcessObject
PROCESS_VM_OPERATION
PROCESS_VM_READ
PROCESS_VM_WRITE
ProcessXElement
ProgressBar
ProgressBar1
_ProgressBar1
ProgressChangedEventArgs
ProjectData
PropertyData
PropertyDataCollection
pszLibFileRemote
qg$/x+
q@{P>O4R
qRdJKH<#
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
ReadProcessMemory
ReadToEnd
ReferenceEquals
@.reloc
Remove
remove_Click
remove_DownloadFileCompleted
remove_DownloadProgressChanged
remove_DownloadStringCompleted
remove_Enter
RemoveNamespaceAttributes
RemoveNamespaceAttributesClosure
remove_TextChanged
remove_Tick
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
resourceCulture
resourceMan
ResourceManager
Resources
ResumeLayout
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimeTypeHandle
`.sdata
    </security>
    <security>
Select
sender
set_AcceptButton
set_AttributeValue
SetAttributeValue
set_AutoScaleDimensions
set_AutoScaleMode
set_AutoSize
set_BackColor
set_BackgroundImage
set_btnConnect
set_ClientSize
SetCompatibleTextRenderingDefault
set_Culture
set_dl
set_dl2
set_Enabled
set_EnableVisualStyles
set_FlatStyle
set_ForeColor
set_Form1
set_Form2
set_Form3
set_FormBorderStyle
set_GroupBox1
set_Icon
set_IsSingleInstance
set_Label1
set_Label2
set_Label3
set_Label4
set_Location
set_MainForm
set_MaximizeBox
set_MinimizeBox
set_Name
set_ProgressBar1
SetProjectError
set_Proxy
set_SaveMySettingsOnExit
set_ShutdownStyle
set_Size
set_StartPosition
set_TabIndex
set_TabStop
set_Text
set_TextAlign
set_TextBox1
set_TextBox2
set_Timer1
Settings
SettingsBase
set_txtHWID
set_UseSystemPasswordChar
set_UseVisualStyleBackColor
set_Value
ShutdownEventHandler
ShutdownMode
source
StandardModuleAttribute
STAThreadAttribute
Stopwatch
Stream
StreamReader
String
Strings
#Strings
SuspendLayout
Synchronized
System
System.CodeDom.Compiler
System.Collections
System.Collections.Generic
System.ComponentModel
System.ComponentModel.Design
System.Configuration
System.Core
System.Diagnostics
System.Drawing
System.Drawing.Bitmap
System.Drawing.Icon
System.Drawing.Size
System.Globalization
System.IO
System.Linq
System.Management
System.Net
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Threading
System.Windows.Forms
System.Windows.Forms.Form
System.Xml.Linq
TargetBufferSize
TargetInvocationException
TargetProcessHandle
Tbvm[O
TextBox
TextBox1
_TextBox1
TextBox1_TextChanged
TextBox2
_TextBox2
TextBoxBase
TH32CS_SNAPPROCESS
!This program cannot be run in DOS mode.
Thread
ThreadSafeObjectProvider`1
ThreadStaticAttribute
Timer1
_Timer1
Timer1_Tick
ToString
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
txtHWID
_txtHWID
txtHWID_TextChanged
@u(%gm
U|k4ZY
Update
uq4<9~
user32
v2.0.50727
v(e(fV
VirtualAllocEx
V,:np*
WeakReference
WebClient
WebRequest
WebResponse
WebServices
WindowsFormsApplicationBase
WithEventsValue
;.$WlDJ
WrapNonExceptionThrows
WriteProcessMemory
_<,WUJa
w?w :C
XAttribute
^xavcc
.x$(Db
XElement
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XNamespace
XObject
Ye	~hm7X#
y+MzO+
YourPath
=Z@kTf
ZombieTag Loader