Malware analysis VNC scanner GUI v 1.2.rar Malicious activity

Add for printing

File name:	VNC scanner GUI v 1.2.rar
Full analysis:	https://app.any.run/tasks/239c7b68-a111-480c-9975-38a7b77fd217
Verdict:	Malicious activity
Analysis date:	April 26, 2025, 21:59:48
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec arch-doc upx delphi evasion
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	06C65EA441088890072741720F1A3587
SHA1:	0F30A58D3F510DDC78F14D4312EC6F90EE6E61CB
SHA256:	4F2D86771B17DAF80F305C8A49B49F09AB1F5016D0628FD06D6B39BB1745EB1F
SSDEEP:	98304:GdcSG/l3QV54DQihFJRvlx6TpypoY0rc723/k2guzLYuQjQffzYTkO+XJdZL3WcO:X8X/vt86FKr5kaLpFB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 4844)
SUSPICIOUS
- Connects to unusual port
  - vnc.exe (PID: 7256)
  - vnc.exe (PID: 1228)
  - vnc.exe (PID: 7360)
  - vnc.exe (PID: 7552)
  - vnc.exe (PID: 6640)
  - vnc.exe (PID: 7368)
  - vnc.exe (PID: 7540)
  - vnc.exe (PID: 7456)
  - vnc.exe (PID: 7432)
  - vnc.exe (PID: 7560)
  - vnc.exe (PID: 4892)
  - vnc.exe (PID: 4988)
- Application launched itself
  - CCleaner64.exe (PID: 5384)
  - CCleaner64.exe (PID: 6752)
- Executable content was dropped or overwritten
  - CCleaner64.exe (PID: 6752)
  - CCleaner64.exe (PID: 4212)
  - TiWorker.exe (PID: 4304)
- Executes as Windows Service
  - vds.exe (PID: 4220)
- Checks for external IP
  - CCleaner64.exe (PID: 6752)
- Process drops legitimate windows executable
  - TiWorker.exe (PID: 4304)
- Executing commands from a ".bat" file
  - vnc_scanner_gui.exe (PID: 8188)
- Starts CMD.EXE for commands execution
  - vnc_scanner_gui.exe (PID: 8188)
INFO
- Manual execution by a user
  - vnc_scanner_gui.exe (PID: 8188)
  - cmd.exe (PID: 7828)
  - vnc_scanner_gui.exe (PID: 7704)
  - notepad.exe (PID: 7636)
  - CCleaner64.exe (PID: 5384)
  - notepad.exe (PID: 6048)
- Checks supported languages
  - vnc_scanner_gui.exe (PID: 7704)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 4844)
- Reads the computer name
  - vnc_scanner_gui.exe (PID: 7704)
- UPX packer has been detected
  - vnc_scanner_gui.exe (PID: 8188)
- Compiled with Borland Delphi (YARA)
  - vnc_scanner_gui.exe (PID: 8188)
  - conhost.exe (PID: 5640)
  - notepad.exe (PID: 7636)
  - slui.exe (PID: 5968)
- Detects AutoHotkey samples (YARA)
  - CCleaner64.exe (PID: 4212)
- The sample compiled with english language support
  - CCleaner64.exe (PID: 6752)
  - CCleaner64.exe (PID: 4212)
  - TiWorker.exe (PID: 4304)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion:	RAR v5
CompressedSize:	-
UncompressedSize:	-
OperatingSystem:	Win32
ArchivedFileName:	VNC_bypauth.txt

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

188

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1228

vnc.exe -i 41.57.96.98 -p 3389 -cT -T 500

C:\Users\admin\Desktop\vnc.exe

cmd.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221225786

Modules

Images
c:\users\admin\desktop\vnc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ws2_32.dll

3032

C:\WINDOWS\System32\vdsldr.exe -Embedding

C:\Windows\System32\vdsldr.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Virtual Disk Service Loader

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

4212

"C:\Program Files\CCleaner\CCleaner64.exe" /monitor

C:\Program Files\CCleaner\CCleaner64.exe

CCleaner64.exe

User:

admin

Company:

Piriform Software Ltd

Integrity Level:

HIGH

Description:

CCleaner

Version:

6.20.0.10897

Modules

Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

4220

C:\WINDOWS\System32\vds.exe

C:\Windows\System32\vds.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Virtual Disk Service

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4304

C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -Embedding

C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Modules Installer Worker

Version:

10.0.19041.3989 (WinBuild.160101.0800)

Modules

Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll

4844

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\VNC scanner GUI v 1.2.rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4892

vnc.exe -i 41.57.96.91 -p 3389 -cT -T 500

C:\Users\admin\Desktop\vnc.exe

cmd.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\vnc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ws2_32.dll

4988

vnc.exe -i 41.57.96.91 -p 3389 -cT -T 500

C:\Users\admin\Desktop\vnc.exe

cmd.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\vnc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

5376

C:\WINDOWS\system32\cmd.exe /c start.bat

C:\Windows\SysWOW64\cmd.exe

—

vnc_scanner_gui.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

3221225786

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

5384

"C:\Program Files\CCleaner\CCleaner64.exe"

C:\Program Files\CCleaner\CCleaner64.exe

—

explorer.exe

User:

admin

Company:

Piriform Software Ltd

Integrity Level:

MEDIUM

Description:

CCleaner

Exit code:

Version:

6.20.0.10897

Modules

Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll

Add for printing

Total events

68 725

Read events

68 501

Write events

144

Delete events

Modification events


(PID) Process:	(4844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(4844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(4844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(4844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\VNC scanner GUI v 1.2.rar
(PID) Process:	(4844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(4844) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256

Add for printing

Executable files

Suspicious files

226

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4844	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4844.11807\start.bat		—
		MD5:—	SHA256:—
6752	CCleaner64.exe	C:\Program Files\CCleaner\gcapi_dll.dll		executable
		MD5:F17F96322F8741FE86699963A1812897	SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
4844	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4844.11807\IPs.txt		text
		MD5:9AECA50A64356F00AED949F159F577F4	SHA256:AF045E591BB1ADA04EAE57A3922B600E0D79A8B48FFEC626CD4489BC5963299B
6752	CCleaner64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		binary
		MD5:2C24A05D3616BBB5AA9C39A12617F49A	SHA256:9413642317AD0EB84132945E89581EC5E5E5F70EC23FC38B1128811A4B993967
6752	CCleaner64.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\info[1].json		binary
		MD5:9FFABD3D365B1F3AA2594B31BF11731D	SHA256:4AD1FDDB052FBF740EA2DCA19DC0D7508570B4D29FDF696B0309970856F0BE03
6752	CCleaner64.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5AKCLQ9B65QIQPXLUA9F.temp		binary
		MD5:3D5ABE5DA0A8CD64EE85E28F5099DCD2	SHA256:594BC039AB118EF3377757B8D2E2D3C8A0CE60DD3EB155B85445167F2DD789CB
6752	CCleaner64.exe	C:\Program Files\CCleaner\gcapi_17457049396752.dll		executable
		MD5:F17F96322F8741FE86699963A1812897	SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
6752	CCleaner64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04		binary
		MD5:05E1820666B02195BBB959A81AE5AFE4	SHA256:0588A8FAA8FDAC361AC48C11F1AC8CA166C1A411CB5C449827A6CA58077A95E6
6752	CCleaner64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199		binary
		MD5:DBFE3DFF93A49B5FD68DDB1042B710D7	SHA256:87FC40868FF3EA949B4BE5918DF844FEBF851F2BC447EBF4FAEE3DF1C9743C73
6752	CCleaner64.exe			—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.216.77.22:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7996	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7996	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4212	CCleaner64.exe	GET	200	2.16.168.113:80	http://ncc.avast.com/ncc.txt	unknown	—	—	whitelisted
6752	CCleaner64.exe	GET	200	2.16.168.113:80	http://ncc.avast.com/ncc.txt	unknown	—	—	whitelisted
6752	CCleaner64.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	unknown	—	—	whitelisted
756	lsass.exe	GET	200	18.245.38.41:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	23.216.77.22:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5496	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6544	svchost.exe	40.126.31.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59 51.104.136.2	whitelisted
crl.microsoft.com	23.216.77.22 23.216.77.36 23.216.77.25 23.216.77.8 23.216.77.6 2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	23.35.229.160 95.101.149.131 23.219.150.101	whitelisted
google.com	142.250.186.78	whitelisted
login.live.com	40.126.31.2 40.126.31.73 40.126.31.128 20.190.159.4 20.190.159.128 40.126.31.0 40.126.31.1 20.190.159.73	whitelisted
ocsp.digicert.com	184.30.131.245 2.23.77.188	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

Threats

PID	Process	Class	Message
7540	vnc.exe	Misc activity	ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)
2196	svchost.exe	Misc activity	ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
6752	CCleaner64.exe	Misc activity	ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI

Add for printing

No debug info

General Info

VNC scanner GUI v 1.2.rar

06C65EA441088890072741720F1A3587

0F30A58D3F510DDC78F14D4312EC6F90EE6E61CB

4F2D86771B17DAF80F305C8A49B49F09AB1F5016D0628FD06D6B39BB1745EB1F

98304:GdcSG/l3QV54DQihFJRvlx6TpypoY0rc723/k2guzLYuQjQffzYTkO+XJdZL3WcO:X8X/vt86FKr5kaLpFB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

SUSPICIOUS

Connects to unusual port

Application launched itself

Executable content was dropped or overwritten

Executes as Windows Service

Checks for external IP

Process drops legitimate windows executable

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

INFO

Manual execution by a user

Checks supported languages

Executable content was dropped or overwritten

Reads the computer name

UPX packer has been detected

Compiled with Borland Delphi (YARA)

Detects AutoHotkey samples (YARA)

The sample compiled with english language support

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings