File name:

3dyd64_1.20.4.exe

Full analysis: https://app.any.run/tasks/1c110b50-d8cd-4f94-baab-0d4f0fbb72dc
Verdict: Malicious activity
Analysis date: June 14, 2024, 09:34:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

0B3D43C21DAFDFC9B673B6E883E96703

SHA1:

BD868B477EC2B0DBEEB863CD66DE59AA5CAA2106

SHA256:

75FA4A477112F405B253491995221741D6019B20D0C52AB62D4C22AD9362D16A

SSDEEP:

196608:Jjnm7PPjOAOrWspqcncB+Y53Its92J4VIBaY/VWs2imWJp:gnjO3rrc53cY2JAc/VWumWz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 3dyd64_1.20.4.exe (PID: 3592)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 3dyd64_1.20.4.exe (PID: 3592)

    • Executable content was dropped or overwritten

      • 3dyd64_1.20.4.exe (PID: 3592)

    • The process creates files with name similar to system file names

      • 3dyd64_1.20.4.exe (PID: 3592)

    • Creates a software uninstall entry

      • 3dyd64_1.20.4.exe (PID: 3592)

    • Reads the date of Windows installation

      • 3dyd64.exe (PID: 3728)

    • Node.exe was dropped

      • 3dyd64_1.20.4.exe (PID: 3592)

    • Write to the desktop.ini file (may be used to cloak folders)

      • 3dyd64.exe (PID: 3728)

    • Reads security settings of Internet Explorer

      • 3dyd64.exe (PID: 3728)

  • INFO

    • Create files in a temporary directory

      • 3dyd64_1.20.4.exe (PID: 3592)

    • Checks supported languages

      • 3dyd64_1.20.4.exe (PID: 3592)
      • 3dyd64.exe (PID: 3728)

    • Reads the computer name

      • 3dyd64_1.20.4.exe (PID: 3592)
      • 3dyd64.exe (PID: 3728)

    • Creates files or folders in the user directory

      • 3dyd64_1.20.4.exe (PID: 3592)
      • 3dyd64.exe (PID: 3728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:16 00:50:53+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x350d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.20.4.0
ProductVersionNumber: 1.20.4.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: https://3dyd.com
CompanyName: 3DYD Soft
FileDescription: 3D Youtube Downloader (x64) Installer
FileVersion: 1.20.4
LegalCopyright: Copyright (C) 2012-2024 3DYD Soft
OriginalFileName: 3dyd64_1.20.4.exe
ProductName: 3D Youtube Downloader (x64)
ProductVersion: 1.20.4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 3dyd64_1.20.4.exe 3dyd64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3592"C:\Users\admin\Desktop\3dyd64_1.20.4.exe" C:\Users\admin\Desktop\3dyd64_1.20.4.exe
explorer.exe
User:
admin
Company:
3DYD Soft
Integrity Level:
MEDIUM
Description:
3D Youtube Downloader (x64) Installer
Exit code:
0
Version:
1.20.4
Modules
Images
c:\users\admin\desktop\3dyd64_1.20.4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3728"C:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\3dyd64.exe"C:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\3dyd64.exe3dyd64_1.20.4.exe
User:
admin
Company:
3DYD Soft
Integrity Level:
MEDIUM
Description:
3D Youtube Downloader (x64)
Version:
1.20.4
Modules
Images
c:\users\admin\appdata\local\programs\3d youtube downloader (x64)\3dyd64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
7 599
Read events
7 573
Write events
26
Delete events
0

Modification events

(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\3DYD Soft\3D Youtube Downloader (x64)
Operation:writeName:program_exe_name
Value:
3dyd64.exe
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\3DYD Soft\3D Youtube Downloader (x64)\Language
Operation:writeName:Current
Value:
en
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:DisplayName
Value:
3D Youtube Downloader (x64)
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\3dyd64.exe
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:DisplayVersion
Value:
1.20.4
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:Publisher
Value:
3DYD Soft
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:NoModify
Value:
1
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:NoRepair
Value:
1
(PID) Process:(3592) 3dyd64_1.20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3D Youtube Downloader (x64)
Operation:writeName:UninstallString
Value:
C:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\uninstall.exe
Executable files
40
Suspicious files
6
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Temp\nse40E0.tmp\System.dllexecutable
MD5:8CF2AC271D7679B1D68EEFC1AE0C5618
SHA256:6950991102462D84FDC0E3B0AE30C95AF8C192F77CE3D78E8D54E6B22F7C09BA
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Temp\nse40E0.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\ffmpeg64\avutil-55.dllexecutable
MD5:4F9DCE351BA6FBB29DBA6C08057E8F12
SHA256:411DAF3D5080C180A8D2247B4BCC1F5BE750FE82B598FAC5A49FD5D5BE1CFEF0
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\ffmpeg64\avcodec-57.dllexecutable
MD5:CFD4CB7363A7D2C0C82D0EB4D78F7B38
SHA256:3ADB91DC7A0C2512FA49433E87D643E9F6415FAE457F0209C0120CCFC90B6A8F
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\ffmpeg64\avformat-57.dllexecutable
MD5:B847C03CC6F940C5E19F12F4722BD814
SHA256:B86AD8DAF0AFE8F04E2B2297E14ED10B6757BAC272E8445FA6F5F51FA2118A1D
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Temp\nse40E0.tmp\LangDLL.dllexecutable
MD5:109B201717AB5EF9B5628A9F3EFEF36F
SHA256:20E642707EF82852BCF153254CB94B629B93EE89A8E8A03F838EEF6CBB493319
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\ffmpeg64\swscale-4.dllexecutable
MD5:27386D143989F01BEA765890FFA2B4EF
SHA256:C92BD52AD9D2B228440E5E649FF74EC20D59896B432CD8718DBF5BC8F2280C63
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\3dyd64.exeexecutable
MD5:9E1007914A6E25A501D745D8F5454EC7
SHA256:29772EBAD3E64485EE8D0A0E6805692E165DBA1C916359879B53D2A2E238C9C7
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Temp\nse40E0.tmp\nsDialogs.dllexecutable
MD5:EC9640B70E07141FEBBE2CD4CC42510F
SHA256:C5BA017732597A82F695B084D1AA7FE3B356168CC66105B9392A9C5B06BE5188
35923dyd64_1.20.4.exeC:\Users\admin\AppData\Local\Programs\3D Youtube Downloader (x64)\node-LICENSEtext
MD5:8BA3B6EB6223C7C67B0ED800A9804900
SHA256:DEEF3DB25C04F2E739A607CF69B278216DCA31FE0133231E907920BD09328D35
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
24
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5612
svchost.exe
GET
200
23.37.13.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5612
svchost.exe
GET
200
2.21.97.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.21.97.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4856
RUXIMICS.exe
GET
200
23.37.13.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.37.13.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
200
2.21.96.51:443
https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w
unknown
s
21.3 Kb
unknown
GET
200
2.21.96.51:443
https://www.bing.com/manifest/threshold.appcache
unknown
text
3.36 Kb
unknown
POST
200
20.189.173.26:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5612
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4856
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5612
svchost.exe
2.21.97.42:80
crl.microsoft.com
Akamai International B.V.
SE
unknown
239.255.255.250:1900
unknown
5140
MoUsoCoreWorker.exe
2.21.97.42:80
crl.microsoft.com
Akamai International B.V.
SE
unknown
5612
svchost.exe
23.37.13.218:80
www.microsoft.com
AKAMAI-AS
PH
unknown
4856
RUXIMICS.exe
23.37.13.218:80
www.microsoft.com
AKAMAI-AS
PH
unknown
5140
MoUsoCoreWorker.exe
23.37.13.218:80
www.microsoft.com
AKAMAI-AS
PH
unknown
5456
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.21.97.42
  • 2.21.97.24
whitelisted
www.microsoft.com
  • 23.37.13.218
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.21.96.51
  • 2.21.96.16
whitelisted
r.bing.com
  • 2.21.96.16
  • 2.21.96.51
whitelisted
self.events.data.microsoft.com
  • 52.168.117.175
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3dyd64_1.20.4.exe