d9d4c5f3120a9420e2dbaf0ee8931556e161787fbc4297d5fb4e4c7616fdd668

Analysis

max time kernel
322s
max time network
363s
platform
windows10-2004_x64
resource
win10v2004-20221111-es
resource tags

arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
10/02/2023, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iview462_x64_setup.exe
Size

4.0MB
MD5

d3cc699bd13e8257109df8704ed4804c
SHA1

ea47f92d438b150f02ac6922e4f92224b1c17991
SHA256

d9d4c5f3120a9420e2dbaf0ee8931556e161787fbc4297d5fb4e4c7616fdd668
SHA512

e78c7582afde2e6c51c3dbd6891869c51237a7d80e89966d5809db850dbbe5d062c63d512f89ee08fe43bce08cf8b0a12db7122752d1de1c63040d901b8b6fff
SSDEEP

98304:hSrSl80MMjJkOV+Yy/QnUpoSjMDv4C5DNyhUznQWCcx87aQ4p:hNlRkbYyCUpxMDv4C5DkuQWCj+b

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	iview462_x64_setup.exe

Executes dropped EXE 3 IoCs

pid	Process
3116	i_view64.exe
4984	i_view64.exe
2180	i_view64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲䜯潲扳牥彧㐲瀮杮	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳楖敤⹯汤l਒ɺ	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Tools.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\gnome-colors-human_48.txt	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_about.txt	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_languages.txt	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳獐潈瑳搮汬昀敦瑣⹳汤l硴t	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\慌杮慵敧⽳敄瑵捳⹨汤lel㍟⸲硴t	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\#readme_zip_users.txt	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳汓摩獥潨⹷硥e	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩慬杮慵敧⹳硴t汤le	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Html\frame.html	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\Grosberg_24.png	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲术潮敭挭汯牯⵳畨慭彮㠴瀮杮	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Languages\Deutsch.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Icons.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Paint.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\VideoExport.dll	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳晅敦瑣⹳汤le	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩扡畯⹴硴t瑣⹳汤le	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\癩畟楮獮慴汬攮數氀le	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭是慲敭栮浴l瑨汭	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳楖敤䕯灸牯⹴汤l⹳汤l硴t	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_options.txt	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭猯楬敤桳睯栮浴le	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳潔汯⹳汤l档氮杮	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Html\copy_files.txt	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\PsHost.dll	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩档湡敧⹳硴t⹳汤le	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭琯畨扭慮汩⹳瑨汭	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩楶睥㐶攮數攀挭汯牯⵳楷敳㍟⸲硴t	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳灊彧牴湡晳牯⹭汤l㍟⸲硴t	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\i_view64.ini	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_plugins.txt	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\Samuel_16.txt	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\gnome-colors-human_48.png	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\gnome-colors-wise_32.txt	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳瑓扵偟畬楧⹮硥el㍟⸲硴t	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Plugins32\Effects.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\iv_uninstall.exe	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩楶睥㈳挮浨洀l瑨汭	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳慐湩⹴汤l琮瑸	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\RegionCapture.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_view64.exe	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_changes.txt	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_view32.chm	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲匯浡敵彬㘱瀮杮	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\慌杮慵敧⽳偉䑟略獴档氮杮	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Metadata.dll	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\爣慥浤彥楺彰獵牥⹳硴tel㍟⸲硴t	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳汐杵湩㍳⼲晅敦瑣⹳汤l硴t	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳捉湯⹳汤l਒ɺ	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩汰杵湩⹳硴tt汤le	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Html\slideshow.html	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\Grosberg_24.txt	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲术潮敭挭汯牯⵳畨慭彮㠴琮瑸	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭振灯役楦敬⹳硴tlel㍟⸲硴t	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲术潮敭挭汯牯⵳楷敳㍟⸲湰g	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Video.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Effects.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Html\thumbnails.html	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲匯浡敵彬㘱琮瑸	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲䜯潲扳牥彧㐲琮瑸	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\gnome-colors-wise_32.png	iview462_x64_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.clp\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ecw\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.sid\ = "IrfanView SID File"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.sid\shell\open	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ogg\shell\open	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Browse with &IrfanView\ = "Browse with &IrfanView"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ani\shell\open\command	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.sff\shell\open\command	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ttf\shell\open\command	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.djvu\DefaultIcon	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jpm\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jpg\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ppm\DefaultIcon	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.webp	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mp3	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mp3\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.eps\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ico\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mpg\ = "IrfanView MPG File"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wmv\shell\open	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ogg	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wma\shell\open\command	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.raw\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tif\ = "IrfanView.tif"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dcx	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ppm\shell	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.webp\shell\open	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	i_view64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dds\shell\open\command	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jls\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pgm	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.xpm\DefaultIcon	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wav\shell\open	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dcm\shell\open\command	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.gif\shell\open	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.cur\ = "IrfanView CUR File"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.cur\shell	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pcx\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ras\DefaultIcon	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.flv\ = "IrfanView FLV File"	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\i_view64.exe\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.bmp\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.heic\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pbm\ = "IrfanView PBM File"	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.png\ = "IrfanView PNG File"	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.asf\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.asf\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,9"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wma\DefaultIcon	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.b3d\shell\open	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dds\DefaultIcon	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dxf\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.png\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.qoi\shell\open	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.rle	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.b3d\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.clp\shell	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pbm\shell\open	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.psp\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.avi\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,9"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mid\DefaultIcon	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.clp	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.clp\shell\open	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	i_view64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.b3d\ = "IrfanView B3D File"	iview462_x64_setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4060	iview462_x64_setup.exe
4060	iview462_x64_setup.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 536	4060	iview462_x64_setup.exe	90
PID 4060 wrote to memory of 536	4060	iview462_x64_setup.exe	90
PID 4060 wrote to memory of 4972	4060	iview462_x64_setup.exe	92
PID 4060 wrote to memory of 4972	4060	iview462_x64_setup.exe	92
PID 4060 wrote to memory of 3756	4060	iview462_x64_setup.exe	91
PID 4060 wrote to memory of 3756	4060	iview462_x64_setup.exe	91
PID 4060 wrote to memory of 3116	4060	iview462_x64_setup.exe	93
PID 4060 wrote to memory of 3116	4060	iview462_x64_setup.exe	93
PID 4060 wrote to memory of 4984	4060	iview462_x64_setup.exe	94
PID 4060 wrote to memory of 4984	4060	iview462_x64_setup.exe	94
PID 4060 wrote to memory of 2180	4060	iview462_x64_setup.exe	95
PID 4060 wrote to memory of 2180	4060	iview462_x64_setup.exe	95
PID 4972 wrote to memory of 1684	4972	msedge.exe	98
PID 4972 wrote to memory of 1684	4972	msedge.exe	98
PID 3756 wrote to memory of 4244	3756	msedge.exe	97
PID 3756 wrote to memory of 4244	3756	msedge.exe	97
PID 536 wrote to memory of 992	536	msedge.exe	96
PID 536 wrote to memory of 992	536	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\iview462_x64_setup.exe
"C:\Users\Admin\AppData\Local\Temp\iview462_x64_setup.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.irfanview.net/faq.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9051346f8,0x7ff905134708,0x7ff905134718
    3⤵
    PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.irfanview.net/faq.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9051346f8,0x7ff905134708,0x7ff905134718
    3⤵
    PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.irfanview.net/faq.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9051346f8,0x7ff905134708,0x7ff905134718
    3⤵
    PID:1684
- C:\Program Files\IrfanView\i_view64.exe
  "C:\Program Files\IrfanView\i_view64.exe"
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Program Files\IrfanView\i_view64.exe
  "C:\Program Files\IrfanView\i_view64.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4984
- C:\Program Files\IrfanView\i_view64.exe
  "C:\Program Files\IrfanView\i_view64.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:2180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\IrfanView\Toolbars\Samuel_16.png

Filesize
10KB

MD5
49b9e25c8f622c2344e00665a40aed59

SHA1
5f977c67185297c2ed29c0ca32230e4f4ace7555

SHA256
07a1b34d2a6e259a515d179caa01df67e7a2ded0522919df80abb6281e73a4cd

SHA512
0c771762ae53ac8e610e2b1f58920c683fa8167c546eb99b37e055b10daafb347e4bcc91c00aecb5d8d4b2122437f4e8f99014f91acfc19d8922a4458dd4b47c

Download Submit
C:\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
C:\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
C:\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
C:\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
C:\Program Files\IrfanView\i_view64.ini

Filesize
42B

MD5
25a92f802d3ffd5519f7dab35c0aec3f

SHA1
dcbf6d35f41452515fa4a0402da6a8fd89bc0ac0

SHA256
668c0ba227f3b0c95419dbb9328311961346dfa42ab17da4f13e9777ddecf58a

SHA512
0928c2c9dc3136a83d90598afb5b51887950a671dd23e34a7a6a4ac5fa5c3497e13d00fe39527f13e2e9ef9088d2c7553a682589f5ac70e7cb593376276e2427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a58a7931227f93b9a54bc982c0d99582

SHA1
7591b129f025f2003039a81830b9cd5d7043d3e2

SHA256
a6751ef5a8d88960e0fc22e205155f766e840d13c46c962166f35e3bf8367ac0

SHA512
24eec66ba6b79cebb2b920cdad34f9b68fcc9503a2e4bc718ddf3d39b8f959ee1c7b0e73079b31a0e8acc98960fcedeb7e49f38b8f5036aa21294048f7f1a79b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a58a7931227f93b9a54bc982c0d99582

SHA1
7591b129f025f2003039a81830b9cd5d7043d3e2

SHA256
a6751ef5a8d88960e0fc22e205155f766e840d13c46c962166f35e3bf8367ac0

SHA512
24eec66ba6b79cebb2b920cdad34f9b68fcc9503a2e4bc718ddf3d39b8f959ee1c7b0e73079b31a0e8acc98960fcedeb7e49f38b8f5036aa21294048f7f1a79b

Download Submit
C:\Users\Admin\AppData\Roaming\IrfanView\i_view64.ini

Filesize
238B

MD5
514b9ecbdc05d377276528ea232c4df0

SHA1
6641e509e2d5e54ea50f93e4256470cd61925a65

SHA256
d317839a5b34985617a3069c469f5b1e0f8ba1bdd149268371919d42b2e7e09b

SHA512
42e5c248f186efb053ebbe835dba1ce37cbc8a81ab7179b9d19f63d728bc803cb0105bb6b8589dadec3719c75bf70704bbce3a121eb87a92f9abd215a475b9bc

Download Submit