File name:

3dyd64_1.20.4.exe

Full analysis: https://app.any.run/tasks/1c110b50-d8cd-4f94-baab-0d4f0fbb72dc
Verdict: Malicious activity
Analysis date: June 14, 2024, 09:34:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

0B3D43C21DAFDFC9B673B6E883E96703

SHA1:

BD868B477EC2B0DBEEB863CD66DE59AA5CAA2106

SHA256:

75FA4A477112F405B253491995221741D6019B20D0C52AB62D4C22AD9362D16A

SSDEEP:

196608:Jjnm7PPjOAOrWspqcncB+Y53Its92J4VIBaY/VWs2imWJp:gnjO3rrc53cY2JAc/VWumWz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 3dyd64_1.20.4.exe (PID: 3592)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 3dyd64_1.20.4.exe (PID: 3592)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 3dyd64_1.20.4.exe (PID: 3592)

    • Node.exe was dropped

      • 3dyd64_1.20.4.exe (PID: 3592)

    • Creates a software uninstall entry

      • 3dyd64_1.20.4.exe (PID: 3592)

    • Executable content was dropped or overwritten

      • 3dyd64_1.20.4.exe (PID: 3592)

    • Reads the date of Windows installation

      • 3dyd64.exe (PID: 3728)

    • Reads security settings of Internet Explorer

      • 3dyd64.exe (PID: 3728)

    • Write to the desktop.ini file (may be used to cloak folders)

      • 3dyd64.exe (PID: 3728)

  • INFO

    • Create files in a temporary directory

      • 3dyd64_1.20.4.exe (PID: 3592)

    • Reads the computer name

      • 3dyd64_1.20.4.exe (PID: 3592)
      • 3dyd64.exe (PID: 3728)

    • Checks supported languages

      • 3dyd64_1.20.4.exe (PID: 3592)
      • 3dyd64.exe (PID: 3728)

    • Creates files or folders in the user directory

      • 3dyd64_1.20.4.exe (PID: 3592)
      • 3dyd64.exe (PID: 3728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:16 00:50:53+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x350d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.20.4.0
ProductVersionNumber: 1.20.4.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: https://3dyd.com
CompanyName: 3DYD Soft
FileDescription: 3D Youtube Downloader (x64) Installer
FileVersion: 1.20.4
LegalCopyright: Copyright (C) 2012-2024 3DYD Soft
OriginalFileName: 3dyd64_1.20.4.exe
ProductName: 3D Youtube Downloader (x64)
ProductVersion: 1.20.4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 3dyd64_1.20.4.exe 3dyd64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3592"C:\Users\admin\Desktop\3dyd64_1.20.4.exe" C:\Users\admin\Desktop\3dyd64_1.20.4.exe
explorer.exe
User:
admin
Company:
3DYD Soft
Integrity Level:
MEDIUM
Description:
3D Youtube Downloader (x64) Installer
Exit code:
0
Version:
1.20.4
Modules
Images
c:\users\admin\desktop\3dyd64_1.20.4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3728"C:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\3dyd64.exe"C:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\3dyd64.exe3dyd64_1.20.4.exe
User:
admin
Company:
3DYD Soft
Integrity Level:
MEDIUM
Description:
3D Youtube Downloader (x64)
Version:
1.20.4
Modules
Images
c:\users\admin\appdata\local\programs\3d youtube downloader (x64)\3dyd64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
7 599
Read events
7 573
Write events
26
Delete events
0

Modification events

(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\3DYD Soft\3D Youtube Downloader (x64)
Operation:writeName:program_exe_name
Value:
3dyd64.exe
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\3DYD Soft\3D Youtube Downloader (x64)\Language
Operation:writeName:Current
Value:
en
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:DisplayName
Value:
3D Youtube Downloader (x64)
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\3dyd64.exe
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:DisplayVersion
Value:
1.20.4
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:Publisher
Value:
3DYD Soft
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:NoModify
Value:
1
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:NoRepair
Value:
1
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:UninstallString
Value:
C:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\uninstall.exe
Executable files
40
Suspicious files
6
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Temp\nse40E0.tmp\LangDLL.dllexecutable
MD5:109B201717AB5EF9B5628A9F3EFEF36F
SHA256:20E642707EF82852BCF153254CB94B629B93EE89A8E8A03F838EEF6CBB493319
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\help_map.xmlxml
MD5:539B9EDAC5962E1E535475AB44B6B023
SHA256:375AEB6CD0F674B66C41AC46F08FCDD02E99794C3F9114EECCE7CBA952734F56
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\ffmpeg64\avutil-55.dllexecutable
MD5:4F9DCE351BA6FBB29DBA6C08057E8F12
SHA256:411DAF3D5080C180A8D2247B4BCC1F5BE750FE82B598FAC5A49FD5D5BE1CFEF0
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\eula.txttext
MD5:BD96F3157A0BA07915256CB5201A4751
SHA256:F3CA7F58AA347CF4CDC00C7030D3448CD534AD5BAA30EB5D47A29A12A9FAA83A
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\ffmpeg64\swscale-4.dllexecutable
MD5:27386D143989F01BEA765890FFA2B4EF
SHA256:C92BD52AD9D2B228440E5E649FF74EC20D59896B432CD8718DBF5BC8F2280C63
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\3dyd64.exeexecutable
MD5:9E1007914A6E25A501D745D8F5454EC7
SHA256:29772EBAD3E64485EE8D0A0E6805692E165DBA1C916359879B53D2A2E238C9C7
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\lang64\ar.dllexecutable
MD5:77D0BF6BEF36EA1311AEE0CE0105871A
SHA256:6449D3C510FE54FF501AF530E5DF99F53CB97C407ABFCA689C8C46AE693008E1
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\lang64\bg.dllexecutable
MD5:D4C6C8986A51506938C7EEB38F2A27C6
SHA256:E0BBE5187494E9E70C803ED8D32636D4BAB30036433ABF2D96A620B45C5D2168
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\node-LICENSEtext
MD5:8BA3B6EB6223C7C67B0ED800A9804900
SHA256:DEEF3DB25C04F2E739A607CF69B278216DCA31FE0133231E907920BD09328D35
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Temp\nse40E0.tmp\nsProcess.dllexecutable
MD5:F0438A894F3A7E01A4AAE8D1B5DD0289
SHA256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
24
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
2.21.97.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5612
svchost.exe
GET
200
2.21.97.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5612
svchost.exe
GET
200
23.37.13.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4856
RUXIMICS.exe
GET
200
23.37.13.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.37.13.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
200
2.21.96.51:443
https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w
unknown
s
21.3 Kb
GET
200
2.21.96.51:443
https://www.bing.com/manifest/threshold.appcache
unknown
text
3.36 Kb
POST
200
20.189.173.26:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5612
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4856
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5612
svchost.exe
2.21.97.42:80
crl.microsoft.com
Akamai International B.V.
SE
unknown
239.255.255.250:1900
unknown
5140
MoUsoCoreWorker.exe
2.21.97.42:80
crl.microsoft.com
Akamai International B.V.
SE
unknown
5612
svchost.exe
23.37.13.218:80
www.microsoft.com
AKAMAI-AS
PH
unknown
4856
RUXIMICS.exe
23.37.13.218:80
www.microsoft.com
AKAMAI-AS
PH
unknown
5140
MoUsoCoreWorker.exe
23.37.13.218:80
www.microsoft.com
AKAMAI-AS
PH
unknown
5456
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.21.97.42
  • 2.21.97.24
whitelisted
www.microsoft.com
  • 23.37.13.218
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.21.96.51
  • 2.21.96.16
whitelisted
r.bing.com
  • 2.21.96.16
  • 2.21.96.51
whitelisted
self.events.data.microsoft.com
  • 52.168.117.175
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3dyd64_1.20.4.exe