{"id":28010,"date":"2024-10-30T15:48:57","date_gmt":"2024-10-30T15:48:57","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=28010"},"modified":"2024-11-05T20:12:33","modified_gmt":"2024-11-05T20:12:33","slug":"pua-win32-dndownloader","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/pua-win32-dndownloader\/","title":{"rendered":"PUA:Win32\/DNDownloader"},"content":{"rendered":"<p>You can witness <strong>a PUA:Win32\/DNDownloader detection<\/strong> while installing a certain software. This detection refers to a potentially unwanted software that attempts to run unwanted apps along with the \u201cmain\u201d installation. In this article, I explain how to remove it and show the dangers related to that threat.<\/p>\n<h2>Detection Overview<\/h2>\n<p>PUA:Win32\/DNDownloader is <a href=\"https:\/\/gridinsoft.com\/blogs\/heuristic-virus\/\">a heuristic detection<\/a> of potentially unwanted software associated <strong>with the LDPlayer app<\/strong>. This program is a free Windows-based Android emulator developed by the Chinese company XuanZhi. In general, the <strong>emulator itself is not harmful<\/strong>, while programs that are installed along with it are.<\/p>\n<figure id=\"attachment_28023\" aria-describedby=\"caption-attachment-28023\" style=\"width: 1562px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/PUA-Win32DNDownloader-detection.webp\" alt=\"PUA:Win32\/DNDownloader detection window screenshot\" width=\"1562\" height=\"1064\" class=\"size-full wp-image-28023\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/PUA-Win32DNDownloader-detection.webp 1562w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/PUA-Win32DNDownloader-detection-300x204.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/PUA-Win32DNDownloader-detection-1024x698.webp 1024w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/PUA-Win32DNDownloader-detection-768x523.webp 768w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/PUA-Win32DNDownloader-detection-1536x1046.webp 1536w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/PUA-Win32DNDownloader-detection-860x586.webp 860w\" sizes=\"auto, (max-width: 1562px) 100vw, 1562px\" \/><figcaption id=\"caption-attachment-28023\" class=\"wp-caption-text\">PUA:Win32\/DNDownloader detection window<\/figcaption><\/figure>\n<p>Although LDPlayer has an official website, VirusTotal search results indicate that PUA:Win32\/DNDownloader is distributed through malicious websites, often disguised as popular programs, mobile game clients, or <a href=\"https:\/\/gridinsoft.com\/crack\">cracked mobile apps<\/a>. Common disguises include popular games and software for some specific tasks.<\/p>\n<ul>\n<div class=\"su-row\"><div class=\"su-column su-column-size-1-2\"><div class=\"su-column-inner su-u-clearfix su-u-trim\">\n<li>Terraria<\/li>\n<li>Roblox.client<\/li>\n<li>Brawlstars<\/li>\n<li>Pokemongo<\/li>\n<li>Mobile.legends<\/li>\n<\/div><\/div><div class=\"su-column su-column-size-1-2\"><div class=\"su-column-inner su-u-clearfix su-u-trim\">\n<li>Standoff2<\/li>\n<li>Pixlink.camera<\/li>\n<li>Instagram.followers.unfollowers<\/li>\n<li>Minivideos.videodownloader<\/li>\n<\/div><\/div><\/div>\n<\/ul>\n<p>This is only a small sample of the software under which users have encountered Win32\/DNDownloader under the guise of. Additionally, the installation process typically includes prompts to install extra software.<\/p>\n<h2>PUA:Win32\/DNDownloader Analysis<\/h2>\n<p>Let&#8217;s take a closer look at this unwanted software. The first red flag is that Defender detects it as soon as the installation file is downloaded. This detection is warranted, and here\u2019s why. During installation, PUA:Win32\/DNDownloader persistently attempts to install additional bundled software.<\/p>\n<div class=\"su-image-carousel  su-image-carousel-has-spacing su-image-carousel-has-outline su-image-carousel-adaptive su-image-carousel-slides-style-default su-image-carousel-controls-style-dark su-image-carousel-align-center\" style=\"\" data-flickity-options='{\"groupCells\":true,\"cellSelector\":\".su-image-carousel-item\",\"adaptiveHeight\":true,\"cellAlign\":\"left\",\"prevNextButtons\":true,\"pageDots\":true,\"autoPlay\":5000,\"imagesLoaded\":true,\"contain\":false,\"selectedAttraction\":0.007,\"friction\":0.25}' id=\"su_image_carousel_696d088bebbf9\"><div class=\"su-image-carousel-item\"><div class=\"su-image-carousel-item-content\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"657\" height=\"428\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/ldplayer-installer.webp\" class=\"\" alt=\"LDPlayer Installation process screenshot\" title=\"\"><span>LDPlayer Installation process<\/span><\/div><\/div><div class=\"su-image-carousel-item\"><div class=\"su-image-carousel-item-content\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"657\" height=\"428\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/ldplayer-with-opera.webp\" class=\"\" alt=\"LDPlayer Installation process screenshot\" title=\"\"><span>LDPlayer Installation process<\/span><\/div><\/div><div class=\"su-image-carousel-item\"><div class=\"su-image-carousel-item-content\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"657\" height=\"428\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/ldplayer-vith-360-security.webp\" class=\"\" alt=\"LDPlayer Installation process screenshot\" title=\"\"><span>LDPlayer Installation process<\/span><\/div><\/div><\/div><script id=\"su_image_carousel_696d088bebbf9_script\">if(window.SUImageCarousel){setTimeout(function() {window.SUImageCarousel.initGallery(document.getElementById(\"su_image_carousel_696d088bebbf9\"))}, 0);}var su_image_carousel_696d088bebbf9_script=document.getElementById(\"su_image_carousel_696d088bebbf9_script\");if(su_image_carousel_696d088bebbf9_script){su_image_carousel_696d088bebbf9_script.parentNode.removeChild(su_image_carousel_696d088bebbf9_script);}<\/script>\n<p>The programs included in this bundle are typical for unwanted software of this kind\u2014namely, Opera and 360 Total Security. I\u2019ve <a href=\"https:\/\/gridinsoft.com\/blogs\/puabundler-win32-mediaget-removal-guide\/\">encountered other unwanted software<\/a> that also tries to install these two programs.<\/p>\n<h2>Technical Details<\/h2>\n<p>Although PUA:Win32\/DNDownloader may seem harmless at first glance, its behavior on the system indicates otherwise. The first red flag is that it reads mutexes on the system. The program looks for the <strong>Local\\__DDDrawCheckExclMode__<\/strong> mutex and if it does not find it, it creates it and several others:<\/p>\n<p><code style=\"font-size: 14px\">{EE8B94A3-D811-458B-A446-AF28FA10E845}<br \/>\nMUTEX_LDPLAYER<br \/>\n\\Sessions\\1\\BaseNamedObjects\\MUTEX_LDPLAYER<br \/>\n\\Sessions\\1\\BaseNamedObjects\\{EE8B94A3-D811-458B-A446-AF28FA10E845}<\/code><\/p>\n<p>This behavior is typical of a malicious program, or at least something phony, but not legitimate software. During installation, PUA:Win32\/DNDownloader employs techniques like obfuscation to avoid static and dynamic analysis, and it checks for a virtual environment by verifying the following values:<\/p>\n<p><code style=\"font-size: 14px\">\\HARDWARE\\DESCRIPTION\\System\\BIOS<br \/>\n\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName<br \/>\n\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer<\/code><\/p>\n<p>While a hardware check may be justifiable for optimizing emulator performance, checking for anti-malware software is unusual for standard programs. It checks the following registry keys:<\/p>\n<p><code style=\"font-size: 14px\"><br \/>\n\\SOFTWARE\\AVAST Software\\Avast<br \/>\n\\SOFTWARE\\Wow6432Node\\AVAST Software\\Avast<br \/>\n\\SOFTWARE\\AVG\\AV<br \/>\n\\SOFTWARE\\Wow6432Node\\AVG\\AV<br \/>\n\\SOFTWARE\\Avira\\Browser<br \/>\n\\SOFTWARE\\Wow6432Node\\Avira\\Browser<br \/>\n\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection<br \/>\n\\SOFTWARE\\WOW6432Node\\McAfee<\/code><\/p>\n<p>It also modifies certain registry values related to system protection and OneDrive. Otherwise, despite these red flags, LDPlayer performs its intended function.<\/p>\n<p><code style=\"font-size: 14px\">HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Security and Maintenance\\Checks\\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101\\CheckSetting<br \/>\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\OneDrive\\Accounts\\LastUpdate<\/code><\/p>\n<h2>Is PUA:Win32\/DNDownloader False Positive?<\/h2>\n<p>Yes, PUA:Win32\/DNDownloader can be a false positive detection. Since this is a heuristic detection, <strong>it relies on behavior analysis<\/strong> rather than exact signatures. This means that machine learning may occasionally misinterpret certain behaviors. This is also true for the program files it extracts during installation.<\/p>\n<p>For example, on 06\/14\/2024, some VirusTotal <a href=\"https:\/\/www.virustotal.com\/gui\/file\/72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5\/community\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">analyses and comments<\/a> indicated that the files Roboto-Regular.otf and NotoSans-Regular.otf contained DcRat (DarkCrystal RAT). However, <a href=\"https:\/\/tria.ge\/241029-k76d4avnfq\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">upon re-analysis<\/a> on 10\/29\/2024, no malware was detected in these files.<\/p>\n<p>Conversely, this detection is associated with the LDPlayer program specifically, which Microsoft Defender flags in most cases upon download. Although the latest version from the official website does not currently trigger a detection, this could potentially change in the future.<\/p>\n<h2>How To Ensure Your PC is Clean From PUA:Win32\/DNDownloader?<\/h2>\n<p>The <strong>LDPlayer<\/strong> itself is not malicious; however, the additional software it attempts to install can pose security risks.<\/p>\n<p>To ensure your PC is clean, start by running a full scan with <a href=\"\/antimalware\">Gridinsoft Anti-Malware<\/a>. This security tool is designed to detect and remove potentially unwanted applications (PUAs) like DNDownloader, which may infiltrate your system through bundled downloads or malicious ads. After the scan, review and remove any detected items to eliminate potential risks. Finally, activate real-time protection to prevent similar threats from sneaking into your system in the future.<\/p>\n<p style=\"padding-top:15px;padding-bottom:15px;\"><a href=\"\/download\/antimalware\" rel=\"nofollow\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"\/blogs\/wp-content\/uploads\/2022\/07\/env02.webp\" alt=\"PUA:Win32\/DNDownloader\" width=\"798\" height=\"336\" class=\"aligncenter size-full\" title=\"\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>You can witness a PUA:Win32\/DNDownloader detection while installing a certain software. This detection refers to a potentially unwanted software that attempts to run unwanted apps along with the \u201cmain\u201d installation. In this article, I explain how to remove it and show the dangers related to that threat. Detection Overview PUA:Win32\/DNDownloader is a heuristic detection of [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":28025,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17,4],"tags":[474,223],"class_list":{"0":"post-28010","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"category-tips-tricks","9":"tag-unwanted-programs","10":"tag-windows-defender"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/PUA-Win32DNDownloader.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/28010","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=28010"}],"version-history":[{"count":17,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/28010\/revisions"}],"predecessor-version":[{"id":28148,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/28010\/revisions\/28148"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/28025"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=28010"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=28010"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=28010"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}