d9d4c5f3120a9420e2dbaf0ee8931556e161787fbc4297d5fb4e4c7616fdd668

Resubmissions

21-02-2023 02:49

230221-da7sbsfc3x 7

21-02-2023 02:48

230221-dafzlsfc3w 7

Analysis

max time kernel
20s
max time network
21s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-02-2023 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iview462_x64_setup.exe
Size

4.0MB
MD5

d3cc699bd13e8257109df8704ed4804c
SHA1

ea47f92d438b150f02ac6922e4f92224b1c17991
SHA256

d9d4c5f3120a9420e2dbaf0ee8931556e161787fbc4297d5fb4e4c7616fdd668
SHA512

e78c7582afde2e6c51c3dbd6891869c51237a7d80e89966d5809db850dbbe5d062c63d512f89ee08fe43bce08cf8b0a12db7122752d1de1c63040d901b8b6fff
SSDEEP

98304:hSrSl80MMjJkOV+Yy/QnUpoSjMDv4C5DNyhUznQWCcx87aQ4p:hNlRkbYyCUpxMDv4C5DkuQWCj+b

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1028	i_view64.exe

Loads dropped DLL 14 IoCs

pid	Process
2032	iview462_x64_setup.exe
2032	iview462_x64_setup.exe
2032	iview462_x64_setup.exe
2032	iview462_x64_setup.exe
2032	iview462_x64_setup.exe
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
2032	iview462_x64_setup.exe
1228	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲䜯潲扳牥彧㐲瀮杮	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳獐潈瑳搮汬昀敦瑣⹳汤l硴t	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_plugins.txt	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Languages\IP_Deutsch.lng	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\i_view64.ini	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_view32.chm	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\#readme_zip_users.txt	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩汰杵湩⹳硴tt汤le	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\Grosberg_24.png	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Tools.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\gnome-colors-wise_32.png	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\爣慥浤彥楺彰獵牥⹳硴tel㍟⸲硴t	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳楖敤䕯灸牯⹴汤l⹳汤l硴t	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳晅敦瑣⹳汤le	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭琯畨扭慮汩⹳瑨汭	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳敒楧湯慃瑰牵⹥汤l	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭猯楬敤桳睯栮浴le	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳汓摩獥潨⹷硥e	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\iv_uninstall.exe	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Paint.dll	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲术潮敭挭汯牯⵳畨慭彮㠴瀮杮	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Html\copy_files.txt	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Icons.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_languages.txt	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭是慲敭栮浴l瑨汭	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Metadata.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\PsHost.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_about.txt	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩灯楴湯⹳硴tt汤le	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\Grosberg_24.txt	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Jpg_transform.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Stub_Plugin.exe	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Effects.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Html\slideshow.html	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩楶睥㈳挮浨洀l瑨汭	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲匯浡敵彬㘱瀮杮	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲匯浡敵彬㘱琮瑸	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲䜯潲扳牥彧㐲琮瑸	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲术潮敭挭汯牯⵳楷敳㍟⸲湰g	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳敍慴慤慴搮汬⸀汤l㍟⸲硴t	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩扡畯⹴硴t瑣⹳汤le	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\癩畟楮獮慴汬攮數氀le	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩档湡敧⹳硴t⹳汤le	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳潔汯⹳汤l档氮杮	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲术潮敭挭汯牯⵳畨慭彮㠴琮瑸	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_view64.exe	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭振灯役楦敬⹳硴tlel㍟⸲硴t	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_options.txt	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Html\thumbnails.html	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\慌杮慵敧⽳敄瑵捳⹨汤lel㍟⸲硴t	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Slideshow.exe	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳捉湯⹳汤l	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\i_changes.txt	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\Samuel_16.txt	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲术潮敭挭汯牯⵳楷敳㍟⸲硴t	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Plugins32\Effects.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\VideoExport.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Video.dll	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Html\frame.html	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\gnome-colors-wise_32.txt	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩楶睥㐶攮數攀挭汯牯⵳楷敳㍟⸲硴t	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳灊彧牴湡晳牯⹭汤l㍟⸲硴t	iview462_x64_setup.exe
File created	C:\Program Files\IrfanView\Languages\Deutsch.dll	iview462_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳楖敤⹯汤l	iview462_x64_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{35996BB1-B192-11ED-911E-F2C06CA9A191} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{35996BB3-B192-11ED-911E-F2C06CA9A191}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wav	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.crw\shell\open	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.g3	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pgm	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.qoi\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.flv\shell\open\command	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mov	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dds\shell	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mng\DefaultIcon	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ras\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.rle\shell\open\command	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.sid	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.hdp\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.sff\DefaultIcon	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wmv\shell	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wav\DefaultIcon	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jxl\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mpg\ = "IrfanView MPG File"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wma\DefaultIcon	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ppm\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.sff\shell\open\command	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.tga\DefaultIcon	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.gif\shell\open\command	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jls\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pbm\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pgm\shell\open\command	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ppm\ = "IrfanView PPM File"	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.avi\ = "IrfanView AVI File"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ttf\shell	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.cr2\shell\open	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.heic\shell\open\command	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jls\shell\open	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wmf\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.flv\DefaultIcon	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.avi	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pcd\shell\open\command	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.sff\shell\open	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.tga	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.tif\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.xbm\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.aif\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,8"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.cr3	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jng\shell\open\command	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.png\ = "IrfanView PNG File"	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.xbm\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wmv\ = "IrfanView WMV File"	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.iff\ = "IrfanView IFF File"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mov\DefaultIcon	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.rmi\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.au\ = "IrfanView AU File"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.bmp\shell	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.gif\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jng\shell\open	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.qoi	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wbmp\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jls\ = "IrfanView JLS File"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jxl\shell\open	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ras\ = "IrfanView RAS File"	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wbmp\shell	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wmv	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.webp\shell\open	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.swf\DefaultIcon	iview462_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ogg\shell	iview462_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wma\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,8"	iview462_x64_setup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1760	iexplore.exe
1028	i_view64.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2032	iview462_x64_setup.exe
2032	iview462_x64_setup.exe
1760	iexplore.exe
1760	iexplore.exe
912	IEXPLORE.EXE
912	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1760	2032	iview462_x64_setup.exe	28
PID 2032 wrote to memory of 1760	2032	iview462_x64_setup.exe	28
PID 2032 wrote to memory of 1760	2032	iview462_x64_setup.exe	28
PID 2032 wrote to memory of 1028	2032	iview462_x64_setup.exe	29
PID 2032 wrote to memory of 1028	2032	iview462_x64_setup.exe	29
PID 2032 wrote to memory of 1028	2032	iview462_x64_setup.exe	29
PID 1760 wrote to memory of 912	1760	iexplore.exe	31
PID 1760 wrote to memory of 912	1760	iexplore.exe	31
PID 1760 wrote to memory of 912	1760	iexplore.exe	31
PID 1760 wrote to memory of 912	1760	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\iview462_x64_setup.exe
"C:\Users\Admin\AppData\Local\Temp\iview462_x64_setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.irfanview.net/faq.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1760 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:912
- C:\Program Files\IrfanView\i_view64.exe
  "C:\Program Files\IrfanView\i_view64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\IrfanView\Toolbars\Samuel_16.png

Filesize
10KB

MD5
49b9e25c8f622c2344e00665a40aed59

SHA1
5f977c67185297c2ed29c0ca32230e4f4ace7555

SHA256
07a1b34d2a6e259a515d179caa01df67e7a2ded0522919df80abb6281e73a4cd

SHA512
0c771762ae53ac8e610e2b1f58920c683fa8167c546eb99b37e055b10daafb347e4bcc91c00aecb5d8d4b2122437f4e8f99014f91acfc19d8922a4458dd4b47c

Download Submit
C:\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
C:\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
C:\Program Files\IrfanView\i_view64.ini

Filesize
42B

MD5
25a92f802d3ffd5519f7dab35c0aec3f

SHA1
dcbf6d35f41452515fa4a0402da6a8fd89bc0ac0

SHA256
668c0ba227f3b0c95419dbb9328311961346dfa42ab17da4f13e9777ddecf58a

SHA512
0928c2c9dc3136a83d90598afb5b51887950a671dd23e34a7a6a4ac5fa5c3497e13d00fe39527f13e2e9ef9088d2c7553a682589f5ac70e7cb593376276e2427

Download Submit
C:\Users\Admin\AppData\Roaming\IrfanView\i_view64.ini

Filesize
79B

MD5
f92e1ae28962ce5925a9d459ac6324de

SHA1
6a89d4f0a03ed3fbae7e80fe39b94fc32ae87cdb

SHA256
8558f9e261a7b1b482ba9c258bceceb3cf6e37832d92b875a2a28d1d2b6109d1

SHA512
9d4c02ad819748809205edd7a7b0150a844cd67e4e8152c15c5a0b6a6a2c49d22d07467871c2bebc5f92de03bcaa7d4666c32f5355ce09e10fb4abf776164590

Download Submit
C:\Users\Admin\AppData\Roaming\IrfanView\i_view64.ini

Filesize
79B

MD5
f92e1ae28962ce5925a9d459ac6324de

SHA1
6a89d4f0a03ed3fbae7e80fe39b94fc32ae87cdb

SHA256
8558f9e261a7b1b482ba9c258bceceb3cf6e37832d92b875a2a28d1d2b6109d1

SHA512
9d4c02ad819748809205edd7a7b0150a844cd67e4e8152c15c5a0b6a6a2c49d22d07467871c2bebc5f92de03bcaa7d4666c32f5355ce09e10fb4abf776164590

Download Submit
\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
\Program Files\IrfanView\i_view64.exe

Filesize
2.3MB

MD5
75df432a4d2f45a620af22ba60aa711b

SHA1
bb07b1b9204f76a030db3f89e094676eb48bdb8c

SHA256
497e5e9d5aaeeb5e8d75a49ccd3181ec2aae822fc2edaf1f070f7118db54e2bc

SHA512
76cad6f7d1db02ad262667c96fdf28967d49a6ab60b018703fcd1b6dc9023a47c4b902aba2fdf8e24b372d7fea22e37b027557fbdb8a4fa4cebfd73a4089e7d2

Download Submit
\Program Files\IrfanView\iv_uninstall.exe

Filesize
141KB

MD5
92d2c69fe445e4f7db1fa19ccfe4525b

SHA1
7cc48f80043c74697ca61fe5ac451314d451c6fb

SHA256
7bcb4c03a98baf59643ba3e4c46900551a3af6a91282f0e7a6d4aaaff7ac1bf6

SHA512
b01fd23cc57645811655d4476b181cf0d5945d9dcb3f0fae4fcb56004d73ed1bedbe1dd831379efcd361dbee8909a65e24d07ac4367e5c8e4ebbc56e279dab79

Download Submit
memory/912-152-0x0000000002E80000-0x0000000002E82000-memory.dmp

Filesize
8KB

Download
memory/1760-151-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download