File name:

irfanview_452_setup.exe

Full analysis: https://app.any.run/tasks/b151c0ed-774b-4ef1-a02d-00b929a3bc35
Verdict: Malicious activity
Analysis date: September 12, 2024, 17:13:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

801D6D18C25D304EA5EAF2631A98105E

SHA1:

D02AE38BC0ED371BA1019F2B963D9762E8F136D8

SHA256:

E7CCAB6695F158599436237042D7AAB875DD54488CF1E00B917BAA48C63CBB26

SSDEEP:

98304:XmBlOv31PY7w63ibukJxVp+GGMpJULmQQl56A+xmyhoqMppDxhrrMMXVQI2S/A/E:4wmk1+xB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates a software uninstall entry

      • irfanview_452_setup.exe (PID: 5524)

    • Executable content was dropped or overwritten

      • irfanview_452_setup.exe (PID: 5524)

  • INFO

    • Creates files in the program directory

      • irfanview_452_setup.exe (PID: 5524)

    • Creates files or folders in the user directory

      • irfanview_452_setup.exe (PID: 5524)

    • Checks supported languages

      • irfanview_452_setup.exe (PID: 5524)

    • Reads the computer name

      • irfanview_452_setup.exe (PID: 5524)

    • Create files in a temporary directory

      • irfanview_452_setup.exe (PID: 5524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:12 10:39:21+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 148992
InitializedDataSize: 2334720
UninitializedDataSize: -
EntryPoint: 0xd413
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.52.0.0
ProductVersionNumber: 4.52.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: German (Austrian)
CharacterSet: Unicode
Comments: IrfanView 32-bit Installer
CompanyName: Irfan Skiljan
FileDescription: IrfanView 32-bit Installer
FileVersion: 4.52
InternalName: IrfanView 32-bit Installer
LegalCopyright: Copyright © 2018 by Irfan Skiljan, Austria
LegalTrademarks: -
OriginalFileName: iview452_setup.exe
PrivateBuild: -
ProductName: IrfanView 32-bit Installer
ProductVersion: 4.52
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start irfanview_452_setup.exe irfanview_452_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2232"C:\Users\admin\Desktop\irfanview_452_setup.exe" C:\Users\admin\Desktop\irfanview_452_setup.exeexplorer.exe
User:
admin
Company:
Irfan Skiljan
Integrity Level:
MEDIUM
Description:
IrfanView 32-bit Installer
Exit code:
3221226540
Version:
4.52
Modules
Images
c:\users\admin\desktop\irfanview_452_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5524"C:\Users\admin\Desktop\irfanview_452_setup.exe" C:\Users\admin\Desktop\irfanview_452_setup.exe
explorer.exe
User:
admin
Company:
Irfan Skiljan
Integrity Level:
HIGH
Description:
IrfanView 32-bit Installer
Version:
4.52
Modules
Images
c:\users\admin\desktop\irfanview_452_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
262
Read events
167
Write events
95
Delete events
0

Modification events

(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\i_view32.exe
Operation:writeName:FriendlyAppName
Value:
IrfanView 32-bit
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:DisplayName
Value:
IrfanView 4.52 (32-bit)
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\IrfanView\iv_uninstall.exe"
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:Publisher
Value:
Irfan Skiljan
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\IrfanView\
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:DisplayVersion
Value:
4.52
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\IrfanView\i_view32.exe,0
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:VersionMajor
Value:
4
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:VersionMinor
Value:
52
(PID) Process:(5524) irfanview_452_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView
Operation:writeName:EstimatedSize
Value:
3584
Executable files
13
Suspicious files
6
Text files
22
Unknown types
6

Dropped files

PID
Process
Filename
Type
5524irfanview_452_setup.exeC:\Users\admin\AppData\Local\Temp\iview_x32.zipcompressed
MD5:59862B8B839D5BAD1E746AF6997D4A66
SHA256:47EB3500DAFC944FA3BE74516A57EB6F2B9287A68AC1F03D5F5067AC2AFA43E0
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\Plugins\Effects.dllexecutable
MD5:E4B4DC7F3E8C2386BB6F13A1E6255389
SHA256:A4D22D1C486FD8250F1DF411258145426A0E86B5AE62AB0E7FCDE434DC81064C
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\Plugins\Video.dllexecutable
MD5:A542495157146C884E53CD4D9F29DB73
SHA256:9959C99750BD61C63EB13CDFA1E4AD00A3B28F406CF477B3A3DAF38649D4B962
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\i_languages.txttext
MD5:97AB52F18CC61F0867445520F02C48DE
SHA256:1582F3F3EB1996F65110E6CE2B36417D1733699CF804EB41E1980D0900D5DB27
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\i_plugins.txttext
MD5:FDB30B80D4B1B7EEE555714F35B21C80
SHA256:895686A46A6F2AC8716E6F26CC4326A0D16E7DF5BBD99B471C35A4C9FE65D0EB
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\Plugins\Slideshow.exeexecutable
MD5:B6F8C4934889D61392F86DB38212B693
SHA256:4E1C944AB7E941F39085327C463168ACF00528C7235410CCA1E63DA40090693E
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\i_view32.exeexecutable
MD5:65B407EAC0E14665D8B9887BD02F4E32
SHA256:C1C56DD2925616A4B791B2CE0549EF069C4159F41570A9B0E84C494E2AE7F0E8
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\i_about.txttext
MD5:EA24541F10CBEEC11664E1BB11A8D20E
SHA256:F40E366D62F65175A4EA804F376BB6EE74CAEC2216B86A1471936DF358531C8F
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\Toolbars\Samuel_16.pngimage
MD5:49B9E25C8F622C2344E00665A40AED59
SHA256:07A1B34D2A6E259A515D179CAA01DF67E7A2DED0522919DF80ABB6281E73A4CD
5524irfanview_452_setup.exeC:\Program Files (x86)\IrfanView\Toolbars\Samuel_16.txttext
MD5:CD758DB9BD24F6A3328F5EE8415ABC49
SHA256:4397D365A886300A288D24E2D5AB053A2D3194C99EACC2910DCD83D8E06C6ED9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
15
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6412
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6552
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6412
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6552
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6412
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6552
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
irfanview_452_setup.exe