File name:

vnc-4.0-x86_win.exe

Full analysis: https://app.any.run/tasks/4bd3e1bd-a9a7-4086-9a03-d08123f32910
Verdict: Malicious activity
Analysis date: December 14, 2023, 08:50:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
MD5:

98EE2C22C45BBE3F250B73226D357845

SHA1:

1849E83BD4C85E2B102430B61D4D7368539FB490

SHA256:

3B8AF9FF8B62B4EE1189280CFAF01D4B6F3529C2E12272BFE7560AABC579B3B6

SSDEEP:

12288:aXGhddSgXLn30mxaR0g2KnFZKCJMFx38LyiD6uwqp0LAGi3j3TmKt58zhIYYt6st:gUdSg7Nk8CaFxAyiD6FK00jkOZNt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • vnc-4.0-x86_win.exe (PID: 2688)
      • is-QHTRR.tmp (PID: 1104)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • is-QHTRR.tmp (PID: 1104)

    • Reads the Windows owner or organization settings

      • is-QHTRR.tmp (PID: 1104)

    • Executes as Windows Service

      • winvnc4.exe (PID: 2788)

  • INFO

    • Checks supported languages

      • vnc-4.0-x86_win.exe (PID: 2688)
      • is-QHTRR.tmp (PID: 1104)
      • winvnc4.exe (PID: 588)
      • winvnc4.exe (PID: 2436)
      • winvnc4.exe (PID: 2672)
      • winvnc4.exe (PID: 2788)
      • vncconfig.exe (PID: 244)
      • winvnc4.exe (PID: 2936)

    • Reads the computer name

      • is-QHTRR.tmp (PID: 1104)
      • winvnc4.exe (PID: 588)
      • winvnc4.exe (PID: 2436)
      • winvnc4.exe (PID: 2672)
      • winvnc4.exe (PID: 2788)
      • vncconfig.exe (PID: 244)
      • winvnc4.exe (PID: 2936)

    • Create files in a temporary directory

      • vnc-4.0-x86_win.exe (PID: 2688)
      • is-QHTRR.tmp (PID: 1104)

    • Creates files in the program directory

      • is-QHTRR.tmp (PID: 1104)

    • Manual execution by a user

      • winvnc4.exe (PID: 2936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (82.8)
.exe | Win32 Executable Delphi generic (10.7)
.exe | Win32 Executable (generic) (3.4)
.exe | Generic Win/DOS Executable (1.5)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 35328
InitializedDataSize: 16896
UninitializedDataSize: -
EntryPoint: 0x9220
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: This installation was built with Inno Setup: http://www.innosetup.com
CompanyName: RealVNC Ltd.
FileDescription: VNC Setup
FileVersion:
InternalName: -
OriginalFileName: -
ProductName: -
ProductVersion: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vnc-4.0-x86_win.exe is-qhtrr.tmp no specs winvnc4.exe no specs winvnc4.exe no specs winvnc4.exe no specs winvnc4.exe no specs vncconfig.exe no specs winvnc4.exe no specs vnc-4.0-x86_win.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
244"C:\Program Files (x86)\RealVNC\VNC4\vncconfig.exe" -serviceC:\Program Files (x86)\RealVNC\VNC4\vncconfig.exeis-QHTRR.tmp
User:
admin
Company:
RealVNC Ltd.
Integrity Level:
HIGH
Description:
VNC Server Configuration Applet for Win32
Exit code:
0
Version:
4.0
Modules
Images
c:\program files (x86)\realvnc\vnc4\vncconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
588"C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe" -stopC:\Program Files (x86)\RealVNC\VNC4\winvnc4.exeis-QHTRR.tmp
User:
admin
Company:
RealVNC Ltd.
Integrity Level:
HIGH
Description:
VNC Server for Win32
Exit code:
0
Version:
4.0
Modules
Images
c:\program files (x86)\realvnc\vnc4\winvnc4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1104"C:\Users\admin\AppData\Local\Temp\is-O0QNS.tmp\is-QHTRR.tmp" /SL4 $1C03D8 C:\Users\admin\AppData\Local\Temp\vnc-4.0-x86_win.exe 511279 50688 C:\Users\admin\AppData\Local\Temp\is-O0QNS.tmp\is-QHTRR.tmpvnc-4.0-x86_win.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-o0qns.tmp\is-qhtrr.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2436"C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe" -unregister -registerC:\Program Files (x86)\RealVNC\VNC4\winvnc4.exeis-QHTRR.tmp
User:
admin
Company:
RealVNC Ltd.
Integrity Level:
HIGH
Description:
VNC Server for Win32
Exit code:
0
Version:
4.0
Modules
Images
c:\program files (x86)\realvnc\vnc4\winvnc4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2672"C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe" -startC:\Program Files (x86)\RealVNC\VNC4\winvnc4.exeis-QHTRR.tmp
User:
admin
Company:
RealVNC Ltd.
Integrity Level:
HIGH
Description:
VNC Server for Win32
Exit code:
0
Version:
4.0
Modules
Images
c:\program files (x86)\realvnc\vnc4\winvnc4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2688"C:\Users\admin\AppData\Local\Temp\vnc-4.0-x86_win.exe" C:\Users\admin\AppData\Local\Temp\vnc-4.0-x86_win.exe
explorer.exe
User:
admin
Company:
RealVNC Ltd.
Integrity Level:
HIGH
Description:
VNC Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\vnc-4.0-x86_win.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2784"C:\Users\admin\AppData\Local\Temp\vnc-4.0-x86_win.exe" C:\Users\admin\AppData\Local\Temp\vnc-4.0-x86_win.exeexplorer.exe
User:
admin
Company:
RealVNC Ltd.
Integrity Level:
MEDIUM
Description:
VNC Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\temp\vnc-4.0-x86_win.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2788"C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe" -serviceC:\Program Files (x86)\RealVNC\VNC4\winvnc4.exeservices.exe
User:
SYSTEM
Company:
RealVNC Ltd.
Integrity Level:
SYSTEM
Description:
VNC Server for Win32
Exit code:
0
Version:
4.0
Modules
Images
c:\program files (x86)\realvnc\vnc4\winvnc4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2936"C:\Program Files (x86)\RealVNC\VNC4\winvnc4.exe" -noconsoleC:\Program Files (x86)\RealVNC\VNC4\winvnc4.exeexplorer.exe
User:
admin
Company:
RealVNC Ltd.
Integrity Level:
MEDIUM
Description:
VNC Server for Win32
Exit code:
0
Version:
4.0
Modules
Images
c:\program files (x86)\realvnc\vnc4\winvnc4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
1 382
Read events
1 381
Write events
1
Delete events
0

Modification events

(PID) Process:(1104) is-QHTRR.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
27
Executable files
15
Suspicious files
10
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1104is-QHTRR.tmpC:\Program Files (x86)\RealVNC\VNC4\unins000.exeexecutable
MD5:A73B4C19A233181CD4CF0B9B8B3F7FBF
SHA256:B2C14524F74DE7831B3246313485E4DEBECBD235647791A025653720BEF850B6
1104is-QHTRR.tmpC:\Users\admin\AppData\Local\Temp\is-MDAVG.tmp\_isdecmp.dllexecutable
MD5:B4786EB1E1A93633AD1B4C112514C893
SHA256:2AE4169F721BEB389A661E6DBB18BC84EF38556AF1F46807DA9D87AEC2A6F06F
1104is-QHTRR.tmpC:\Program Files (x86)\RealVNC\VNC4\is-L6F7K.tmpexecutable
MD5:7D042213EC10B666923C72DA24EE4B9E
SHA256:9E1E76C0EBD31BECCE60F214CC1034314FB374B6CB011E919F33F58970DFB816
1104is-QHTRR.tmpC:\Program Files (x86)\RealVNC\VNC4\vncconfig.exeexecutable
MD5:4A84D7C950986D3AE898143451EFAE29
SHA256:B82FD264F28D6EEB49CDE267866E0E153E364128DA228FF8E8B0BBF22289B626
1104is-QHTRR.tmpC:\Program Files (x86)\RealVNC\VNC4\winvnc4.exeexecutable
MD5:7043DDF51D7135C1D1B83B4213DFED61
SHA256:B00D8EA00CB9C6CEF087E574795FE2E309BD8EF61F21BF7E6F6595D3F3707315
1104is-QHTRR.tmpC:\Program Files (x86)\RealVNC\VNC4\is-PTJV7.tmpexecutable
MD5:7043DDF51D7135C1D1B83B4213DFED61
SHA256:B00D8EA00CB9C6CEF087E574795FE2E309BD8EF61F21BF7E6F6595D3F3707315
1104is-QHTRR.tmpC:\Program Files (x86)\RealVNC\VNC4\is-M7U7J.tmpexecutable
MD5:4A84D7C950986D3AE898143451EFAE29
SHA256:B82FD264F28D6EEB49CDE267866E0E153E364128DA228FF8E8B0BBF22289B626
1104is-QHTRR.tmpC:\Users\admin\AppData\Local\Temp\is-MDAVG.tmp\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
1104is-QHTRR.tmpC:\Program Files (x86)\RealVNC\VNC4\is-Q6G7D.tmpexecutable
MD5:A73B4C19A233181CD4CF0B9B8B3F7FBF
SHA256:B2C14524F74DE7831B3246313485E4DEBECBD235647791A025653720BEF850B6
1104is-QHTRR.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealVNC\VNC Server 4 (User-Mode)\Run VNC Server.lnkbinary
MD5:CB37A003132966F61013A8CA8DB73FC4
SHA256:F63A158829238A2DB0214F09766DF8490496C395888957900436C75642805AEE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1956
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
324
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
vnc-4.0-x86_win.exe