sd3672.exe

Queries for the computername (10 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 8, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 8, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 8, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 8, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 8, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 8, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 8, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 8, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 8, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 8, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 8, 2021, 9:15 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Performs some HTTP requests (1 event)

request

GET http://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=237&ext_1=2&ext_2=37wancom&ext_3=sd3672&ext_4=C2E2596C4C464D049761EA216CC6557D&ext_5=bc117b1625961482d7217427f2af8340&ext_6=2&browser_type=3003

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 8, 2021, 9:15 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 8, 2021, 9:15 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724f2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 8, 2021, 9:15 a.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72492000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW April 8, 2021, 9:15 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13724016640 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0
GetDiskFreeSpaceExW April 8, 2021, 9:16 a.m.	total_number_of_free_bytes: 13727387648 free_bytes_available: 13727387648 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00039358

size

0x00000210

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\Desktop\ÍøÒ³ÓÎÏ·.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ÍøÂçÓÎÏ·ÖÐÐÄ\ÍøÒ³ÓÎÏ·\ÍøÒ³ÓÎÏ·.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ÍøÒ³ÓÎÏ·.lnk
file	C:\Users\test22\AppData\Roaming\ÓÎÏ·\sd3672\sd3672.exe
file	C:\Users\test22\AppData\Roaming\ÓÎÏ·\sd3672\uninst.exe
file	C:\Users\test22\AppData\Local\Temp\nsf6155.tmp\System.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ÍøÂçÓÎÏ·ÖÐÐÄ\ÍøÒ³ÓÎÏ·\жÔØÍøÒ³ÓÎÏ·.lnk

Creates a shortcut to an executable file (22 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ÍøÂçÓÎÏ·ÖÐÐÄ\ÍøÒ³ÓÎÏ·\ÍøÒ³ÓÎÏ·.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\ÍøÒ³ÓÎÏ·.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ÍøÂçÓÎÏ·ÖÐÐÄ\ÍøÒ³ÓÎÏ·\жÔØÍøÒ³ÓÎÏ·.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴 사전.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ÍøÂçÓÎÏ·ÖÐÐÄ\ÍøÒ³ÓÎÏ·\жÔØÍøÒ³ÓÎÏ·.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴오피스 한글 2010.lnk
file	C:\Users\test22\Desktop\ÍøÒ³ÓÎÏ·.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ÍøÂçÓÎÏ·ÖÐÐÄ\ÍøÒ³ÓÎÏ·\ÍøÒ³ÓÎÏ·.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ÍøÒ³ÓÎÏ·.lnk

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Roaming\ÓÎÏ·\sd3672\sd3672.exe
file	C:\Users\test22\AppData\Local\Temp\nsf6155.tmp\System.dll
file	C:\Users\test22\AppData\Roaming\ÓÎÏ·\sd3672\uninst.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: pw.exe process_identifier: 1068	1	1	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: mobsync.exe process_identifier: 2824	1	1	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: taskhost.exe process_identifier: 2884	1	1	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: sd3672.exe process_identifier: 1868	1	1	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: dllhost.exe process_identifier: 2932	1	1	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: sd3672.exe process_identifier: 2672	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (10 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: sd3672.exe process_identifier: 2672		0	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: sd3672.exe process_identifier: 2672		0	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: sd3672.exe process_identifier: 2672		0	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: sd3672.exe process_identifier: 2672		0	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: sd3672.exe process_identifier: 2672		0	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: sd3672.exe process_identifier: 2672		0	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: sd3672.exe process_identifier: 2672		0	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: sd3672.exe process_identifier: 2672		0	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: sd3672.exe process_identifier: 2672		0	0
Process32NextW April 8, 2021, 9:15 a.m.	snapshot_handle: 0x000000d4 process_name: sd3672.exe process_identifier: 2672		0	0

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW April 8, 2021, 9:15 a.m.	regkey_r: \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\网升游戏更新客户端 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\网升游戏更新客户端		161	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ÍøÒ³ÓÎÏ·.lnk SW_SHOWNORMAL

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Bkav	W32.HfsAdware.AFDF
CAT-QuickHeal	Application.Agent.ZZ5
VIPRE	Adware.Win32.Wews87
K7GW	Unwanted-Program ( 0050eb4a1 )
K7AntiVirus	Unwanted-Program ( 0050eb4a1 )
NANO-Antivirus	Riskware.Win32.FileFinder.eyvluu
Symantec	ML.Attribute.HighConfidence
Kaspersky	not-a-virus:AdWare.Win32.FileFinder.gen
AegisLab	Troj.Downloader.Nsis!c
Sophos	Generic PUA EG (PUA)
Comodo	Application.Win32.Wews87.B
Zillya	Dropper.AgentCRTD.Win32.7861
Cyren	W32/GenPua.3478322E!Olympus
Jiangmin	AdWare.Wews87.g
Fortinet	Adware/Wews87
Antiy-AVL	GrayWare[AdWare]/Win32.Wews87
Endgame	malicious (moderate confidence)
ZoneAlarm	not-a-virus:AdWare.Win32.FileFinder.gen
Microsoft	PUA:Win32/Youxun
AVware	Adware.Win32.Wews87
VBA32	AdWare.Wews87
ESET-NOD32	a variant of Win32/Wews87.A potentially unwanted
Yandex	PUA.Wews87!
Ikarus	PUA.Wews87