File name:

irfanview_452_setup.exe

Full analysis: https://app.any.run/tasks/b151c0ed-774b-4ef1-a02d-00b929a3bc35
Verdict: Malicious activity
Analysis date: September 12, 2024, 17:13:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

801D6D18C25D304EA5EAF2631A98105E

SHA1:

D02AE38BC0ED371BA1019F2B963D9762E8F136D8

SHA256:

E7CCAB6695F158599436237042D7AAB875DD54488CF1E00B917BAA48C63CBB26

SSDEEP:

98304:XmBlOv31PY7w63ibukJxVp+GGMpJULmQQl56A+xmyhoqMppDxhrrMMXVQI2S/A/E:4wmk1+xB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • irfanview_452_setup.exe (PID: 5524)

    • Creates a software uninstall entry

      • irfanview_452_setup.exe (PID: 5524)

  • INFO

    • Creates files in the program directory

      • irfanview_452_setup.exe (PID: 5524)

    • Reads the computer name

      • irfanview_452_setup.exe (PID: 5524)

    • Creates files or folders in the user directory

      • irfanview_452_setup.exe (PID: 5524)

    • Create files in a temporary directory

      • irfanview_452_setup.exe (PID: 5524)

    • Checks supported languages

      • irfanview_452_setup.exe (PID: 5524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:12 10:39:21+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 148992
InitializedDataSize: 2334720
UninitializedDataSize: -
EntryPoint: 0xd413
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.52.0.0
ProductVersionNumber: 4.52.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: German (Austrian)
CharacterSet: Unicode
Comments: IrfanView 32-bit Installer
CompanyName: Irfan Skiljan
FileDescription: IrfanView 32-bit Installer
FileVersion: 4.52
InternalName: IrfanView 32-bit Installer
LegalCopyright: Copyright © 2018 by Irfan Skiljan, Austria
LegalTrademarks: -
OriginalFileName: iview452_setup.exe
PrivateBuild: -
ProductName: IrfanView 32-bit Installer
ProductVersion: 4.52
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start irfanview_452_setup.exe irfanview_452_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2232"C:\Users\admin\Desktop\irfanview_452_setup.exe" C:\Users\admin\Desktop\irfanview_452_setup.exeexplorer.exe
User:
admin
Company:
Irfan Skiljan
Integrity Level:
MEDIUM
Description:
IrfanView 32-bit Installer
Exit code:
3221226540
Version:
4.52
Modules
Images
c:\users\admin\desktop\irfanview_452_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5524"C:\Users\admin\Desktop\irfanview_452_setup.exe" C:\Users\admin\Desktop\irfanview_452_setup.exe
explorer.exe
User:
admin
Company:
Irfan Skiljan
Integrity Level:
HIGH
Description:
IrfanView 32-bit Installer
Version:
4.52
Modules
Images
c:\users\admin\desktop\irfanview_452_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
262
Read events
167
Write events
95
Delete events
0

Modification events

(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\i_view32.exe
Operation:writeName:FriendlyAppName
Value:
IrfanView 32-bit
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:DisplayName
Value:
IrfanView 4.52 (32-bit)
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\IrfanView\iv_uninstall.exe"
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:Publisher
Value:
Irfan Skiljan
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\IrfanView\
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:DisplayVersion
Value:
4.52
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\IrfanView\i_view32.exe,0
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:VersionMajor
Value:
4
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:VersionMinor
Value:
52
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:EstimatedSize
Value:
3584
Executable files
13
Suspicious files
6
Text files
22
Unknown types
6

Dropped files

PID
Process
Filename
Type
5524irfanview_452_setup.exeC:\Users\admin\AppData\Local\Temp\iview_x32.zipcompressed
MD5:59862B8B839D5BAD1E746AF6997D4A66
SHA256:47EB3500DAFC944FA3BE74516A57EB6F2B9287A68AC1F03D5F5067AC2AFA43E0
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\Plugins\Icons.dllexecutable
MD5:39D9B94B71C432859EAD3513E82E9DE4
SHA256:4A2EAE12A9C53B74A2E1833A090E8572150AD2E46A01554280D23A75C84D2E01
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\i_changes.txttext
MD5:C49B742852C3D736798E72EFAB817DE6
SHA256:3ADA7D46FD338ED77BAB2279FD7697AF5B99B9DA0E0DBE038AD7F88DC246DCF0
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\Toolbars\Grosberg_24.pngimage
MD5:183FF1EB0BB4AC9B7875F977C778D659
SHA256:303BD07905C096EB0CE9BBBE1721B541E29A3929380ECEA7EA6AE74BEFA3D332
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\i_plugins.txttext
MD5:FDB30B80D4B1B7EEE555714F35B21C80
SHA256:895686A46A6F2AC8716E6F26CC4326A0D16E7DF5BBD99B471C35A4C9FE65D0EB
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\i_options.txttext
MD5:55F32668F6A04FD2480E2E751ADD1AC8
SHA256:94942CA9C16C7194A458DC53DCE74B91976FB5C4401D90E630B83035F8BE5AA1
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\i_languages.txttext
MD5:97AB52F18CC61F0867445520F02C48DE
SHA256:1582F3F3EB1996F65110E6CE2B36417D1733699CF804EB41E1980D0900D5DB27
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\Html\thumbnails.htmlhtml
MD5:1AC8A9A77F1A5C674463F925431D14BD
SHA256:CCA0218B31DACEA39F1A73C7504E4DB720A8038A275DAE552BF29A807FA8877D
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\Html\frame.htmlhtml
MD5:E5AF395AE5F829D29357701872C9C731
SHA256:E4D580FAAF8FDEAF507BCB0948887611271702732236F2E9321FBC647C7A9498
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\i_about.txttext
MD5:EA24541F10CBEEC11664E1BB11A8D20E
SHA256:F40E366D62F65175A4EA804F376BB6EE74CAEC2216B86A1471936DF358531C8F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
15
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6552
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6412
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6412
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6552
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6412
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6552
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
irfanview_452_setup.exe