Malware analysis VNC-Viewer-7.5.1-Windows-64bit.exe Malicious activity

Add for printing

File name:	VNC-Viewer-7.5.1-Windows-64bit.exe
Full analysis:	https://app.any.run/tasks/ce250a80-67d5-4964-9f8c-b9e14a62f564
Verdict:	Malicious activity
Analysis date:	August 04, 2023, 03:18:01
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	5E343F3422E53B115C433250C5AE0B54
SHA1:	5C002D127BC884C0FB834435A7EBB2B23A0706EE
SHA256:	624AEF6C1ADD55BB540A3C61B581F4008720EAB7478C4711F54E815F457C7FEA
SSDEEP:	196608:HO9sYnLkWzB+irelD+U4PfmzLE2LmFzvpF1V:HOvLrCB+U4PfmzI2LmFzr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
PowerShell 7-x64 (7.2.11.0)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads the Internet Settings
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 3060)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 2208)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 244)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 1120)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 712)
- Connects to unusual port
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 2208)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 244)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 1120)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 712)
- Application launched itself
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 3060)
INFO
- Creates files or folders in the user directory
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 3060)
- Checks supported languages
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 2208)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 3060)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 244)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 1120)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 712)
- The process checks LSA protection
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 3060)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 2208)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 244)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 712)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 1120)
- Reads the computer name
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 3060)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 2208)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 244)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 712)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 1120)
- Reads the machine GUID from the registry
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 3060)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 2208)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 244)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 1120)
  - VNC-Viewer-7.5.1-Windows-64bit.exe (PID: 712)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (18)
.exe	\|	Win32 Executable (generic) (2.9)
.exe	\|	Generic Win/DOS Executable (1.3)
.exe	\|	DOS Executable Generic (1.3)

EXIF

EXE

ProgramName:	VNC® Viewer
ProductVersion:	7.5.1 (r50075)
ProductName:	VNC®
OriginalFileName:	vncviewer.exe
LegalTrademarks:	RealVNC and VNC are trademarks of RealVNC Ltd and are protected by trademark registrations and/or pending trademark applications in the European Union, United States of America and other jurisdictions.
LegalCopyright:	Copyright © RealVNC Ltd.
InternalName:	vncviewer
FileVersion:	7.5.1 (r50075)
FileDescription:	VNC® Viewer
CompanyName:	RealVNC
CharacterSet:	Unicode
LanguageCode:	English (British)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Windows NT 32-bit
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	7.5.1.50075
FileVersionNumber:	7.5.1.50075
Subsystem:	Windows GUI
SubsystemVersion:	6
ImageVersion:	-
OSVersion:	6
EntryPoint:	0x60a180
UninitializedDataSize:	-
InitializedDataSize:	3786240
CodeSize:	7127552
LinkerVersion:	14.16
PEType:	PE32+
ImageFileCharacteristics:	Executable, Large address aware
TimeStamp:	2023:05:30 12:07:58+00:00
MachineType:	AMD AMD64

Summary

Architecture:	IMAGE_FILE_MACHINE_AMD64
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	30-May-2023 12:07:58
Detected languages:	English - United Kingdom English - United States
Debug artifacts:	C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.5.x\label\con-windows-64\bld64\RelWithDebInfo\vncviewer.pdb
CompanyName:	RealVNC
FileDescription:	VNC® Viewer
FileVersion:	7.5.1 (r50075)
InternalName:	vncviewer
LegalCopyright:	Copyright © RealVNC Ltd.
LegalTrademarks:	RealVNC and VNC are trademarks of RealVNC Ltd and are protected by trademark registrations and/or pending trademark applications in the European Union, United States of America and other jurisdictions.
OriginalFilename:	vncviewer.exe
ProductName:	VNC®
ProductVersion:	7.5.1 (r50075)
ProgramName:	VNC® Viewer

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000138

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_AMD64
Number of sections:	8
Time date stamp:	30-May-2023 12:07:58
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00F0
Characteristics:	IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x006CC0CC	0x006CC200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.49397
.rdata	0x006CE000	0x002A3890	0x002A3A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.51998
.data	0x00972000	0x0002A7B0	0x00018A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.57193
.pdata	0x0099D000	0x00052DA0	0x00052E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.54842
.rodata	0x009F0000	0x00000890	0x00000A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.81285
.gehcont(	0x009F1000	0x00000028	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	0.203682
.rsrc	0x009F2000	0x00080EB0	0x00081000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	7.05178
.reloc	0x00A73000	0x0000B7C8	0x0000B800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	5.46526

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.19874	1678	Latin 1 / Western European	English - United States	RT_MANIFEST
2	4.65517	1128	Latin 1 / Western European	English - United States	RT_ICON
3	4.17421	4264	Latin 1 / Western European	English - United States	RT_ICON
4	3.9793	4264	Latin 1 / Western European	English - United States	RT_ICON
5	3.68509	9640	Latin 1 / Western European	English - United States	RT_ICON
6	3.48661	9640	Latin 1 / Western European	English - United States	RT_ICON
7	7.94883	10622	Latin 1 / Western European	English - United States	RT_ICON
ADDRESSBOOK_2X.PNG	5.794	177	Latin 1 / Western European	English - United States	BUILTINRESOURCE
ADDRESSBOOK_SEL_2X.PNG	5.62152	177	Latin 1 / Western European	English - United States	BUILTINRESOURCE
ANNOTATEOFF.PNG	7.46722	985	Latin 1 / Western European	English - United States	BUILTINRESOURCE

Imports


ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
CRYPT32.dll
GDI32.dll
IMM32.dll
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

244

C:\Users\admin\AppData\Roaming\VNC-Viewer-7.5.1-Windows-64bit.exe -child 118.107.190.199 -hash f9240995d5c0c81a7665b11606c491b1ecfc6ed848225610becdc707197a73ad -sid S-1-5-21-3896776584-4254864009-862391680-1000 RealVNC.admin.vncviewer.launchpipe.1545172113

C:\Users\admin\AppData\Roaming\VNC-Viewer-7.5.1-Windows-64bit.exe

VNC-Viewer-7.5.1-Windows-64bit.exe

User:

admin

Company:

RealVNC

Integrity Level:

MEDIUM

Description:

VNC® Viewer

Exit code:

Version:

7.5.1 (r50075)

Modules

Images
c:\users\admin\appdata\roaming\vnc-viewer-7.5.1-windows-64bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll

712

C:\Users\admin\AppData\Roaming\VNC-Viewer-7.5.1-Windows-64bit.exe -child 80.28.149.168 -hash 918a4de029d4095b1f16b6a78b5851394229248077089e94fd5adf00c07bf3b6 -sid S-1-5-21-3896776584-4254864009-862391680-1000 RealVNC.admin.vncviewer.launchpipe.3689056748

C:\Users\admin\AppData\Roaming\VNC-Viewer-7.5.1-Windows-64bit.exe

VNC-Viewer-7.5.1-Windows-64bit.exe

User:

admin

Company:

RealVNC

Integrity Level:

MEDIUM

Description:

VNC® Viewer

Exit code:

Version:

7.5.1 (r50075)

Modules

Images
c:\users\admin\appdata\roaming\vnc-viewer-7.5.1-windows-64bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll

1120

C:\Users\admin\AppData\Roaming\VNC-Viewer-7.5.1-Windows-64bit.exe -child 119.78.163.195 -hash 392aa2057242eec11d2661934d02fecbd620c0ee8c80b8823469c560fc3fb650 -sid S-1-5-21-3896776584-4254864009-862391680-1000 RealVNC.admin.vncviewer.launchpipe.1382060758

C:\Users\admin\AppData\Roaming\VNC-Viewer-7.5.1-Windows-64bit.exe

VNC-Viewer-7.5.1-Windows-64bit.exe

User:

admin

Company:

RealVNC

Integrity Level:

MEDIUM

Description:

VNC® Viewer

Exit code:

Version:

7.5.1 (r50075)

Modules

Images
c:\users\admin\appdata\roaming\vnc-viewer-7.5.1-windows-64bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll

2208

C:\Users\admin\AppData\Roaming\VNC-Viewer-7.5.1-Windows-64bit.exe -child 18.224.21.93 -hash 9a8aa714e58b05c9ff23db8ecddc1086a08321f9e6c2d9d0b842c47839dbbd3c -sid S-1-5-21-3896776584-4254864009-862391680-1000 RealVNC.admin.vncviewer.launchpipe.3755501234

C:\Users\admin\AppData\Roaming\VNC-Viewer-7.5.1-Windows-64bit.exe

VNC-Viewer-7.5.1-Windows-64bit.exe

User:

admin

Company:

RealVNC

Integrity Level:

MEDIUM

Description:

VNC® Viewer

Exit code:

Version:

7.5.1 (r50075)

Modules

Images
c:\users\admin\appdata\roaming\vnc-viewer-7.5.1-windows-64bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll

3060

"C:\Users\admin\AppData\Roaming\VNC-Viewer-7.5.1-Windows-64bit.exe"

C:\Users\admin\AppData\Roaming\VNC-Viewer-7.5.1-Windows-64bit.exe

explorer.exe

User:

admin

Company:

RealVNC

Integrity Level:

MEDIUM

Description:

VNC® Viewer

Exit code:

Version:

7.5.1 (r50075)

Modules

Images
c:\users\admin\appdata\roaming\vnc-viewer-7.5.1-windows-64bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll

Add for printing

Total events

2 431

Read events

2 424

Write events

Delete events

Modification events


(PID) Process:	(2208) VNC-Viewer-7.5.1-Windows-64bit.exe	Key:	HKEY_CURRENT_USER\Software\RealVNC\vncviewer
Operation:	write	Name:	_AnlInclRate
Value: 0.0025
(PID) Process:	(244) VNC-Viewer-7.5.1-Windows-64bit.exe	Key:	HKEY_CURRENT_USER\Software\RealVNC\vncviewer
Operation:	write	Name:	_AnlInclRate
Value: 0.0025
(PID) Process:	(1120) VNC-Viewer-7.5.1-Windows-64bit.exe	Key:	HKEY_CURRENT_USER\Software\RealVNC\vncviewer
Operation:	write	Name:	_AnlInclRate
Value: 0.0025
(PID) Process:	(712) VNC-Viewer-7.5.1-Windows-64bit.exe	Key:	HKEY_CURRENT_USER\Software\RealVNC\vncviewer
Operation:	write	Name:	_AnlInclRate
Value: 0.0025
(PID) Process:	(712) VNC-Viewer-7.5.1-Windows-64bit.exe	Key:	HKEY_CURRENT_USER\Software\RealVNC\vncviewer\KnownHosts
Operation:	write	Name:	80.28.149.168::5900/extra
Value: 0100

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3060	VNC-Viewer-7.5.1-Windows-64bit.exe	C:\Users\admin\AppData\Local\RealVNC\vncviewer.d\BootstrapCache.pkg		binary
		MD5:386BCE9FBA12D1C299E208CAE647366A	SHA256:E69EF971F2698196F7181672AC39D315DBD57418A32BA9E1747E4A384744C4D7
3060	VNC-Viewer-7.5.1-Windows-64bit.exe	C:\Users\admin\AppData\Roaming\RealVNC\ViewerStore\d74b787a-02d5-4711-baec-fc2ce83ba2ee.vnc.tmp		text
		MD5:74C064B74A5B33FF37423C7A838B5720	SHA256:0E1550AFAF5A0D6AA6C7D7941B7A7A678950D7877B63F7DBF39B53DF2FE0EB51
3060	VNC-Viewer-7.5.1-Windows-64bit.exe	C:\Users\admin\AppData\Roaming\RealVNC\ViewerStore\d237f3a9-7079-44eb-8ef8-6c3f05c5822f.vnc.tmp		text
		MD5:C57E4A1D9A24F6E2D232720446F97C64	SHA256:25F1501A3406F33FA3F89E6922FA1AB1458EE782C578067A50CF05FC5B5068E7
3060	VNC-Viewer-7.5.1-Windows-64bit.exe	C:\Users\admin\AppData\Roaming\RealVNC\ViewerStore\d74b787a-02d5-4711-baec-fc2ce83ba2ee.jrle		binary
		MD5:16CA765E70A1D96350466367DCD8973E	SHA256:CF4EE8DCA7960344CB79888F9F0D7080FF00D42BD64AC50939B40131F37F1AA4
3060	VNC-Viewer-7.5.1-Windows-64bit.exe	C:\Users\admin\AppData\Roaming\RealVNC\ViewerStore\d237f3a9-7079-44eb-8ef8-6c3f05c5822f.vnc		text
		MD5:C57E4A1D9A24F6E2D232720446F97C64	SHA256:25F1501A3406F33FA3F89E6922FA1AB1458EE782C578067A50CF05FC5B5068E7
3060	VNC-Viewer-7.5.1-Windows-64bit.exe	C:\Users\admin\AppData\Local\RealVNC\vncviewer.log		text
		MD5:C326F6A426484EB651DB8ADCF70830A1	SHA256:EE52DABA4CDC526843C250E6C2BD29A5DC8AF8762B98D0975CCF1B6E70AD8045
3060	VNC-Viewer-7.5.1-Windows-64bit.exe	C:\Users\admin\AppData\Roaming\RealVNC\ViewerStore\d237f3a9-7079-44eb-8ef8-6c3f05c5822f.jrle.tmp		binary
		MD5:95F1AD49FCA009CDE618E3AA906275CA	SHA256:AB6DD3C1F0727A65A6FF9ACFB4BBF3E4D18E052EDE8002F8569939F0C7001E2F
3060	VNC-Viewer-7.5.1-Windows-64bit.exe	C:\Users\admin\AppData\Roaming\RealVNC\ViewerStore\d237f3a9-7079-44eb-8ef8-6c3f05c5822f.jrle		binary
		MD5:95F1AD49FCA009CDE618E3AA906275CA	SHA256:AB6DD3C1F0727A65A6FF9ACFB4BBF3E4D18E052EDE8002F8569939F0C7001E2F
3060	VNC-Viewer-7.5.1-Windows-64bit.exe	C:\Users\admin\AppData\Local\RealVNC\vncviewer.d\BootstrapCache.pkg.tmp		binary
		MD5:386BCE9FBA12D1C299E208CAE647366A	SHA256:E69EF971F2698196F7181672AC39D315DBD57418A32BA9E1747E4A384744C4D7
3060	VNC-Viewer-7.5.1-Windows-64bit.exe	C:\Users\admin\AppData\Roaming\RealVNC\ViewerStore\d74b787a-02d5-4711-baec-fc2ce83ba2ee.vnc		text
		MD5:74C064B74A5B33FF37423C7A838B5720	SHA256:0E1550AFAF5A0D6AA6C7D7941B7A7A678950D7877B63F7DBF39B53DF2FE0EB51

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
328	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
3060	VNC-Viewer-7.5.1-Windows-64bit.exe	165.254.191.229:443	hb-c.services.vnc.com	NTT-LTD-2914	US	unknown
2208	VNC-Viewer-7.5.1-Windows-64bit.exe	18.224.21.93:5900	—	—	—	unknown
244	VNC-Viewer-7.5.1-Windows-64bit.exe	118.107.190.199:5900	—	—	—	suspicious
1120	VNC-Viewer-7.5.1-Windows-64bit.exe	119.78.163.195:5900	—	—	—	unknown
712	VNC-Viewer-7.5.1-Windows-64bit.exe	80.28.149.168:5900	—	—	—	suspicious

DNS requests

Domain	IP	Reputation
hb-c.services.vnc.com	165.254.191.229	unknown
dns.msftncsi.com	131.107.255.255	shared

Threats

PID	Process	Class	Message
244	VNC-Viewer-7.5.1-Windows-64bit.exe	Potential Corporate Privacy Violation	SUSPICIOUS [ANY.RUN] VNC negotiation was detected (ProtocolVersion message)
712	VNC-Viewer-7.5.1-Windows-64bit.exe	Potential Corporate Privacy Violation	SUSPICIOUS [ANY.RUN] VNC negotiation was detected (Server Security type - None)

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

VNC-Viewer-7.5.1-Windows-64bit.exe

5E343F3422E53B115C433250C5AE0B54

5C002D127BC884C0FB834435A7EBB2B23A0706EE

624AEF6C1ADD55BB540A3C61B581F4008720EAB7478C4711F54E815F457C7FEA

196608:HO9sYnLkWzB+irelD+U4PfmzLE2LmFzvpF1V:HOvLrCB+U4PfmzI2LmFzr

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Reads the Internet Settings

Connects to unusual port

Application launched itself

INFO

Creates files or folders in the user directory

Checks supported languages

The process checks LSA protection

Reads the computer name

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings