File name:

WorkshopDL.2.0.0_installer.exe

Full analysis: https://app.any.run/tasks/f6b4f3bf-0dca-493b-b97b-b88a40fe1f13
Verdict: Malicious activity
Analysis date: March 21, 2024, 07:11:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7B2E93090FCD57BF14A775C2F5A825E6

SHA1:

D51E79CBC45FA49251633D9390F8DF6AE2A62913

SHA256:

53029E57FAF8F47DE6D994C817CA08B1F9768E59CDBE8386638B08C45C661074

SSDEEP:

49152:I70nXRPo41MLdWsXz+vlDpoB1uRsHOsQblagkr3vos/BUcMF2NOY5zbxre9q7pfD:FXRwuedQvlDpobuRsHO/Zmr3//BtMF2n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WorkshopDL.2.0.0_installer.exe (PID: 2896)

  • SUSPICIOUS

    • Creates a software uninstall entry

      • WorkshopDL.2.0.0_installer.exe (PID: 2896)

    • Reads security settings of Internet Explorer

      • WorkshopDL.exe (PID: 3724)

    • Reads the Internet Settings

      • WorkshopDL.exe (PID: 3724)

    • Executable content was dropped or overwritten

      • WorkshopDL.2.0.0_installer.exe (PID: 2896)

    • Reads settings of System Certificates

      • WorkshopDL.exe (PID: 3724)

    • Checks Windows Trust Settings

      • WorkshopDL.exe (PID: 3724)

  • INFO

    • Checks supported languages

      • WorkshopDL.2.0.0_installer.exe (PID: 2896)
      • WorkshopDL.exe (PID: 3724)

    • Reads the computer name

      • WorkshopDL.2.0.0_installer.exe (PID: 2896)
      • WorkshopDL.exe (PID: 3724)

    • Manual execution by a user

      • WorkshopDL.exe (PID: 3724)

    • Checks proxy server information

      • WorkshopDL.exe (PID: 3724)

    • Creates files or folders in the user directory

      • WorkshopDL.2.0.0_installer.exe (PID: 2896)
      • WorkshopDL.exe (PID: 3724)

    • Reads the machine GUID from the registry

      • WorkshopDL.exe (PID: 3724)

    • Reads the software policy settings

      • WorkshopDL.exe (PID: 3724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:10:20 13:41:28+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 98304
InitializedDataSize: 53248
UninitializedDataSize: -
EntryPoint: 0x1288a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.29
ProductVersionNumber: 2.0.0.29
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 2, 0, 0, 29
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
PrivateBuild: -
ProductName: WorkshopDL Install Program
ProductVersion: 2, 0, 0, 29
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start workshopdl.2.0.0_installer.exe workshopdl.exe workshopdl.2.0.0_installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1836"C:\Users\admin\AppData\Local\Temp\WorkshopDL.2.0.0_installer.exe" C:\Users\admin\AppData\Local\Temp\WorkshopDL.2.0.0_installer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
2, 0, 0, 29
Modules
Images
c:\users\admin\appdata\local\temp\workshopdl.2.0.0_installer.exe
c:\windows\system32\ntdll.dll
2896"C:\Users\admin\AppData\Local\Temp\WorkshopDL.2.0.0_installer.exe" C:\Users\admin\AppData\Local\Temp\WorkshopDL.2.0.0_installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
2, 0, 0, 29
Modules
Images
c:\users\admin\appdata\local\temp\workshopdl.2.0.0_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3724"C:\WorkshopDL\WorkshopDL.exe" C:\WorkshopDL\WorkshopDL.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\workshopdl\workshopdl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
6 209
Read events
6 141
Write events
56
Delete events
12

Modification events

(PID) Process:(2896) WorkshopDL.2.0.0_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WorkshopDL
Operation:writeName:DisplayName
Value:
WorkshopDL
(PID) Process:(2896) WorkshopDL.2.0.0_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WorkshopDL
Operation:writeName:UninstallString
Value:
C:\WorkshopDL\Uninstall.exe
(PID) Process:(3724) WorkshopDL.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3724) WorkshopDL.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3724) WorkshopDL.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3724) WorkshopDL.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3724) WorkshopDL.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(3724) WorkshopDL.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3724) WorkshopDL.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3724) WorkshopDL.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
48
Suspicious files
5
Text files
5
Unknown types
4

Dropped files

PID
Process
Filename
Type
2896WorkshopDL.2.0.0_installer.exeC:\WorkshopDL\WorkshopDL.datbinary
MD5:CB0A903965BAA1B5F58936A9E4DF450B
SHA256:A3C60FFEC420A5DAF322B4F78A1B236E085DBDF98AD5A2BD4F792A32BEC19D5E
2896WorkshopDL.2.0.0_installer.exeC:\WorkshopDL\Uninstall.exeexecutable
MD5:9086CCADF45CB48DD30C3E32A75242A8
SHA256:22B3AFD0A8E745ECFE9508C983A3FF31AA24613F827F3E0D9EC38F90DBB8C8A4
2896WorkshopDL.2.0.0_installer.exeC:\WorkshopDL\WorkshopDL.$Aexecutable
MD5:DBA0313FAA2D314B0F3F5786592F0B28
SHA256:D316A104C8F2F6483F0504C9B8544E45766A2248BD7AD5FD481951572F78BEFC
2896WorkshopDL.2.0.0_installer.exeC:\WorkshopDL\WorkshopDL.exeexecutable
MD5:DBA0313FAA2D314B0F3F5786592F0B28
SHA256:D316A104C8F2F6483F0504C9B8544E45766A2248BD7AD5FD481951572F78BEFC
2896WorkshopDL.2.0.0_installer.exeC:\WorkshopDL\Modules\AdvTray.mfxexecutable
MD5:D9FB3B5FC60D04F33FADD47837075F6B
SHA256:EAB82AB6DAE40B99D5170A003D7B406C3E362CA1372FC3567A716C1F2C0807A5
2896WorkshopDL.2.0.0_installer.exeC:\WorkshopDL\Modules\Archive.$Aexecutable
MD5:0D1416E079CC907971A7EEBE49189EB1
SHA256:C75918D99DD8983FFF3DC51EA3F28AD7A9DA8C84F273E5A20736F227626FB50B
2896WorkshopDL.2.0.0_installer.exeC:\WorkshopDL\Uninstall.$Aexecutable
MD5:9086CCADF45CB48DD30C3E32A75242A8
SHA256:22B3AFD0A8E745ECFE9508C983A3FF31AA24613F827F3E0D9EC38F90DBB8C8A4
2896WorkshopDL.2.0.0_installer.exeC:\WorkshopDL\Modules\AdvTray.$Aexecutable
MD5:D9FB3B5FC60D04F33FADD47837075F6B
SHA256:EAB82AB6DAE40B99D5170A003D7B406C3E362CA1372FC3567A716C1F2C0807A5
2896WorkshopDL.2.0.0_installer.exeC:\WorkshopDL\Modules\fcFolder.mfxexecutable
MD5:5C99AF6A8984DD284FFE212CBF938DBA
SHA256:B69D14B730F9D527139719138A336A570127D62A4E27FBB0B9C6BDCDE6504A57
2896WorkshopDL.2.0.0_installer.exeC:\WorkshopDL\Modules\fcFolder.$Aexecutable
MD5:5C99AF6A8984DD284FFE212CBF938DBA
SHA256:B69D14B730F9D527139719138A336A570127D62A4E27FBB0B9C6BDCDE6504A57
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
15
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3724
WorkshopDL.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
binary
471 b
unknown
3724
WorkshopDL.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
binary
471 b
unknown
3724
WorkshopDL.exe
GET
304
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6578879dcf199db3
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3724
WorkshopDL.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
unknown
3724
WorkshopDL.exe
184.24.77.162:443
steamcdn-a.akamaihd.net
Akamai International B.V.
DE
unknown
3724
WorkshopDL.exe
23.216.77.69:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3724
WorkshopDL.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3724
WorkshopDL.exe
23.216.77.80:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.111.133
shared
steamcdn-a.akamaihd.net
  • 184.24.77.162
  • 184.24.77.156
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
ctldl.windowsupdate.com
  • 23.216.77.69
  • 23.216.77.80
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
Process
Message
WorkshopDL.exe
Start app
WorkshopDL.exe
Last Error: 0
WorkshopDL.exe
Last Error: 0
WorkshopDL.exe
Last Error: 0
WorkshopDL.exe
Last Error: 0
WorkshopDL.exe
Last Error: 0
WorkshopDL.exe
Last Error: 0
WorkshopDL.exe
Last Error: 0
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WorkshopDL.2.0.0_installer.exe