Edit tour

Windows Analysis Report
VNC-Viewer-7.13.1-Windows.exe

Overview

General Information

Sample name:	VNC-Viewer-7.13.1-Windows.exe
Analysis ID:	1582761
MD5:	3bf82674647a748a4036984c7c56521b
SHA1:	9c948a237542bc26a5d9b711de2ffe4c9d88cc7b
SHA256:	7cb888c789083eac23e16b061cee49aea14bbe14e7a784fb0fca5ce0c23ed429
Infos:

Detection

Score:	14
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	49
Range:	0 - 100

Signatures

Contains VNC / remote desktop functionality (version string found)

Checks for available system drives (often done to infect USB drives)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

VNC-Viewer-7.13.1-Windows.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe" MD5: 3BF82674647A748A4036984C7C56521B)

msiexec.exe (PID: 7356 cmdline: C:\Windows\system32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\vnc64.msi ProductLanguage=1033 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7416 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7840 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 0E7A688FE1F05D12731371BA02BFD3BE E Global\MSI0000 MD5: E5DA170027542E25EDE42FC54C929077)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Cryptography
• Compliance
• Spreading
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Language, Device and Operating System Detection
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

Cryptography

Source: vncviewer.exe.2.dr

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_5c50c4ab-0

Compliance

Uses 32bit PE files

Source: VNC-Viewer-7.13.1-Windows.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC\VNC Viewer	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC\VNC Viewer\SetupCache	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC\VNC Viewer\SetupCache\VNC-Viewer-7.13.1-Windows-64bit.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC\VNC Viewer\logmessages.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC\VNC Viewer\vncviewer.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC\VNC Viewer\SetupCache\VNC-Viewer-7.13.1-Windows-64bit.msiKey	Jump to behavior

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}

Jump to behavior

PE / OLE file has a valid certificate

Source: VNC-Viewer-7.13.1-Windows.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: VNC-Viewer-7.13.1-Windows.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\uica.pdb source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld32\RelWithDebInfo\installhlp.pdbV source: VNC-Viewer-7.13.1-Windows.exe
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld32\RelWithDebInfo\installers\viewer_bootstrap.pdb% source: VNC-Viewer-7.13.1-Windows.exe
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld64\RelWithDebInfo\logmessages.pdb source: logmessages.dll.2.dr
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld64\RelWithDebInfo\installhlp.pdbO source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, 641d67.msi.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld32\RelWithDebInfo\installhlp.pdb source: VNC-Viewer-7.13.1-Windows.exe
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld64\RelWithDebInfo\installhlp.pdb source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, 641d67.msi.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld32\RelWithDebInfo\installers\viewer_bootstrap.pdb source: VNC-Viewer-7.13.1-Windows.exe
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld64\RelWithDebInfo\vncviewer.pdb source: vncviewer.exe.2.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Detected non-DNS traffic on DNS port

Source: global traffic	TCP traffic: 192.168.2.4:55689 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.4:64609 -> 162.159.36.2:53

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: MSI1F97.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: http://wixtoolset.org
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: http://www.realvnc.com/
Source: vncviewer.exe.2.dr	String found in binary or memory: https://hb-a.services.vnc.com:443/bootstrap/1.2/configuration
Source: vncviewer.exe.2.dr	String found in binary or memory: https://hb-b.services.vnc.com:443/bootstrap/1.2/configuration
Source: vncviewer.exe.2.dr	String found in binary or memory: https://hb-c.services.vnc.com:443/bootstrap/1.2/configuration
Source: vncviewer.exe.2.dr	String found in binary or memory: https://help.realvnc.com
Source: vncviewer.exe.2.dr	String found in binary or memory: https://help.realvnc.com/hc/en-us/articles/360002450292
Source: vncviewer.exe.2.dr	String found in binary or memory: https://help.realvnc.com/hc/en-us/articles/360002450292cmisc_secdlg_ard_message_html_fmt#FFFFFF
Source: vncviewer.exe.2.dr	String found in binary or memory: https://help.realvnc.com/hc/en-us/articles/360003474552
Source: vncviewer.exe.2.dr	String found in binary or memory: https://help.realvnc.com/hc/en-us/articles/360003474552helpConnectingbuttonBgvnc_connect_brandingab_
Source: 641d67.msi.2.dr	String found in binary or memory: https://help.realvnc.com/hc/en-us/articles/5438412949405
Source: 641d67.msi.2.dr	String found in binary or memory: https://help.realvnc.com/hc/en-us/articles/5438412949405.
Source: vncviewer.exe.2.dr	String found in binary or memory: https://manage.realvnc.com
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: vncviewer.exe.2.dr	String found in binary or memory: https://www.google-analytics.com/batch
Source: vncviewer.exe.2.dr	String found in binary or memory: https://www.google-analytics.com/batchhttps://www.google-analytics.com/collectFlush
Source: vncviewer.exe.2.dr	String found in binary or memory: https://www.google-analytics.com/collect
Source: 641d67.msi.2.dr, MSI1F97.tmp.2.dr	String found in binary or memory: https://www.realvnc.com
Source: vncviewer.exe.2.dr	String found in binary or memory: https://www.realvnc.com.
Source: VNC-Viewer-7.13.1-Windows.exe, vncviewer.exe.2.dr	String found in binary or memory: https://www.realvnc.com/docs/%s/foss.html
Source: VNC-Viewer-7.13.1-Windows.exe, vncviewer.exe.2.dr	String found in binary or memory: https://www.realvnc.com/docs/%s/foss.htmlC:
Source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr	String found in binary or memory: https://www.realvnc.com/realvnc
Source: 641d67.msi.2.dr	String found in binary or memory: https://www.realvnc.com/realvnc-
Source: 641d67.msi.2.dr	String found in binary or memory: https://www.realvnc.com/realvnc-acceptable-use-policy
Source: 641d67.msi.2.dr	String found in binary or memory: https://www.realvnc.com/realvnc-acceptable-use-policy.
Source: vncviewer.exe.2.dr	String found in binary or memory: https://www.realvnc.com_ProductUrivnc.exeLOCAL_APPDATA_COMPANYLOCALAPPDATA
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: https://www.realvnc.com_ProductUrivncRealVNC.exeLOCAL_APPDATA_COMPANYLOCALAPPDATA
Source: 641d67.msi.2.dr	String found in binary or memory: https://www.realvnc.help

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\641d65.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F97.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}\IconViewer.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\641d67.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\641d67.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2536.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\641d67.msi

Jump to behavior

PE file contains executable resources (Code or Archives)

Source: vncviewer.exe.2.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file does not import any functions

Source: logmessages.dll.2.dr

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: VNC-Viewer-7.13.1-Windows.exe, 00000000.00000000.1663398272.0000000001126000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuica.dll\ vs VNC-Viewer-7.13.1-Windows.exe
Source: VNC-Viewer-7.13.1-Windows.exe, 00000000.00000000.1663398272.0000000001126000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevncviewer-installer.exe* vs VNC-Viewer-7.13.1-Windows.exe
Source: VNC-Viewer-7.13.1-Windows.exe, 00000000.00000000.1663398272.0000000000C35000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuica.dll\ vs VNC-Viewer-7.13.1-Windows.exe
Source: VNC-Viewer-7.13.1-Windows.exe	Binary or memory string: OriginalFilenameuica.dll\ vs VNC-Viewer-7.13.1-Windows.exe
Source: VNC-Viewer-7.13.1-Windows.exe	Binary or memory string: OriginalFilenamevncviewer-installer.exe* vs VNC-Viewer-7.13.1-Windows.exe

Uses 32bit PE files

Source: VNC-Viewer-7.13.1-Windows.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean14.troj.winEXE@6/26@1/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\RealVNC

Jump to behavior

Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe

File created: C:\Users\user\AppData\Local\RealVNC

Jump to behavior

Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe

File created: C:\Users\user\AppData\Local\Temp\vnc64.msi

Jump to behavior

Source: VNC-Viewer-7.13.1-Windows.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: %S-Installationsprogramm
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: %S-Installationsprogramm
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: hrend der Installation verwendet werden soll:de%S-InstallationsprogrammSeleccione el idioma de la instalaci
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: -help
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: Ejecute con -help para obtener informaci
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: n.Falta el argumento '%S'.Registrar eventos en formato <registro>:<destino>:<nivel>[,...].Directorio en el que almacenar la salida del registro dirigida a un archivo.Archivo en el que almacenar la salida del registro dirigida a un archivo.Pulse la tecla Intro para continuarEjecute con -help para obtener informaci
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: cuter avec -help pour afficher la syntaxe.
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: cuter avec -help pour afficher la syntaxe.Cha
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: Run with -help for usage.
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: Names are case-insensitive. Valid parameters are listed below.Missing argument to '%S'.Record events in the format <log>:<target>:<level>[,...].Directory in which to store log output directed to file.File in which to store log output directed to file.Press Enter/Return key to continueRun with -help for usage.String too longThis program is not intended to be run directly.Provide [advanced] usage information.Usage:Argumento incorreto '%S'.Par
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: Executar com -help para uso.
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: da de log direcionada a arquivo deve ser armazenada.Pressione a tecla Enter/Return para continuarExecutar com -help para uso.Cadeia longa demaisEsse programa n
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: --help
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: --help
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: Policy overriding preferencePolicyPreferenceDefaultPriority %d%s=%s (%s)Global-help--help-h/?,map/set<T> too long
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: Policy overriding preferencePolicyPreferenceDefaultPriority %d%s=%s (%s)Global-help--help-h/?,map/set<T> too long
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: -stop
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: %s%s%s%c%sSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallOpenProcessTokenUninstallStringInstallLocationVNC ServerVNC ViewerVNC4\%s\vncviewervncserverRealVNCSoftware\%s\installer\%s%s\%s.exeRealVNCViewer_is1RealVNC_is1Cannot run command. Executable is not set.Running '%s'File does not exist: '%s'/NORESTART/VERYSILENTmsiBackupgetBackupDir: user %s ex %sSoftware\%s\%sbudgeunbudgecleanupbudgeFiles(%s, "%s")*.budged%s\%s%s.budged.dll.exeBudge file '%s' --> '%s'Unbudge file '%s' --> '%s'Delete file '%s'-unregister%s\vncserver-old.exe-stopCannot determine MSI install location.vncchat.exevncclipboard.exevncaddrbook.exevncviewer.exewinvnc4.exedesktop_dupl.dllsaslib.dllvncconfig.exevncservice.exevnckeyhelper.exevncpipehelper.exevnclicensehelper.exeunins000.exeunins000.datvnc-mirror-1_8_0-x86_x64_win32.exevnc-printer-1_7_0-x86_x64_win32.exevnc-printer-1_8_0-x86_x64_win32.exeVNC-Viewer-5.0.7-Windows.exeVNC-Viewer-5.0.6-Windows.exeVNC-Viewer-5.0.5-Windows.exeVNC-Viewer-5.0.4-Windows.exeVNC-Viewer-5.0.3-Windows.exeVNC-Viewer-5.0.2-Windows.exeVNC-Viewer-5.0.1-Windows.exeVNC-Viewer-5.0.0-Windows.exeMirror DriverPrinter DriverSetupCacheLogslogmessages.dllvnclicense.exevnclicensewiz.exevncpasswd.exevncguihelper.exevncagent.exevncserver.exevncserverui.exewm_hooks.dllDeleted '%s'Deleted registry key '%s'Failed to delete registry key '%s'cleanupOldServerInstallFiles() failed: oldInstallDir is not specified.Detected previous InnoSetup installDeleted previous InnoSetup install '%s'Cleanup previous InnoSetup install '%s'Detected previous MSI installDeleted previous MSI install '%s'Cleanup previous MSI install '%s'VNC Address Book.lnkVNC Viewer.lnkAdvanced\Start Listening VNC Viewer.lnkcleanupOldViewerInstallFiles(): MSI install detected.Clean up InnoSetup installer files.Deleted file '%s'Do nothing.Detected previous 5.0.x InnoSetup installDetected previous 4.5/4.6.x InnoSetup install%s\VNC Viewer.lnkvector<T> too long
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: -start
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: -addFirewallException
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: -install
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: -installerSetLicenseValidRegKey
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: installhlp%dSOFTWARE\RealVNC\AllUsers01RDPSessionDetectedVNC_Mirror_DriverPreviousDriverUninstallingSW\{3DD4189B-0CD2-4e46-BEC5-519C96AD3E39IncompatibleDriverInstalled1.8%svncmirror.infCreatingRemoving%s device: VNC Mirror Driver .inf path = %sInstalled version (%s) not older than %s.Installed version (%s) older than %s.No previous version installed.A reboot is required to complete the operation.setDeferredRebootRequired: %sReboot not required.%d\|%d\|%sunexpected: %sAdvancedDocumentationAdvanced\Enter VNC Server License Key.lnkAdvanced\VNC Server (User Mode).lnkUnbudging files to %sMoving '%s' --> '%s'Failed: %sDeleting directory '%s'WinVNC4-startbackupDir is %sCopy file in '%s' --> '%s'Budging files in '%s'Viewer MSI detected%s\%s\%sBacking upMoving%s '%s' --> %s%s\%s\DocumentationDeleting '%s'No files to budge.Uninstall printer driver (InnoSetup)VNCPrinter_is1Clean up printer driver install (%s)Uninstall mirror driver (InnoSetup)VNCMirror_is1nt_amd64\driverinst.exent_x86\driverinst.exeClean up mirror driver install (%s)Delete directory '%s'Starting VNC Server.-showstatusSetting %s to %sSoftware-addFirewallException-service%d\|%d-joincloud-joingroup-joinnamejoinCloud failed (returned %d)No install location?Error: setting %s has no valueADDFIREWALLEXCEPTIONSJOINCLOUDJOINGROUPJOINNAMEPARAMS-createHostIdCreating updateId failed (-createHostId returned %d)%s-cleanupFirewall-cleanupUpdates-cleanupServiceSettingsTest failure triggered.-generatekeys%s%s.exeSetting shortcut property %s on %sCould not set shortcut property %s on %sSetCurrentDirectoryNo directory passed to installPrinterDriverHelper-log=%s%sprinterinst.exe-installReboot required.Error-remove%d,%d,%sAdding to source list %s --> %sMsiSourceListAddSource result %dPackageNameMsiSourceListSetInfo result %dRDP_SESSION_DETECTED-installerSetLicenseValidRegKeysetLicenseValidRegKey exception: %s*:msi:30
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: installhlp%dSOFTWARE\RealVNC\AllUsers01RDPSessionDetectedVNC_Mirror_DriverPreviousDriverUninstallingSW\{3DD4189B-0CD2-4e46-BEC5-519C96AD3E39IncompatibleDriverInstalled1.8%svncmirror.infCreatingRemoving%s device: VNC Mirror Driver .inf path = %sInstalled version (%s) not older than %s.Installed version (%s) older than %s.No previous version installed.A reboot is required to complete the operation.setDeferredRebootRequired: %sReboot not required.%d\|%d\|%sunexpected: %sAdvancedDocumentationAdvanced\Enter VNC Server License Key.lnkAdvanced\VNC Server (User Mode).lnkUnbudging files to %sMoving '%s' --> '%s'Failed: %sDeleting directory '%s'WinVNC4-startbackupDir is %sCopy file in '%s' --> '%s'Budging files in '%s'Viewer MSI detected%s\%s\%sBacking upMoving%s '%s' --> %s%s\%s\DocumentationDeleting '%s'No files to budge.Uninstall printer driver (InnoSetup)VNCPrinter_is1Clean up printer driver install (%s)Uninstall mirror driver (InnoSetup)VNCMirror_is1nt_amd64\driverinst.exent_x86\driverinst.exeClean up mirror driver install (%s)Delete directory '%s'Starting VNC Server.-showstatusSetting %s to %sSoftware-addFirewallException-service%d\|%d-joincloud-joingroup-joinnamejoinCloud failed (returned %d)No install location?Error: setting %s has no valueADDFIREWALLEXCEPTIONSJOINCLOUDJOINGROUPJOINNAMEPARAMS-createHostIdCreating updateId failed (-createHostId returned %d)%s-cleanupFirewall-cleanupUpdates-cleanupServiceSettingsTest failure triggered.-generatekeys%s%s.exeSetting shortcut property %s on %sCould not set shortcut property %s on %sSetCurrentDirectoryNo directory passed to installPrinterDriverHelper-log=%s%sprinterinst.exe-installReboot required.Error-remove%d,%d,%sAdding to source list %s --> %sMsiSourceListAddSource result %dPackageNameMsiSourceListSetInfo result %dRDP_SESSION_DETECTED-installerSetLicenseValidRegKeysetLicenseValidRegKey exception: %s*:msi:30
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: installhlp%dSOFTWARE\RealVNC\AllUsers01RDPSessionDetectedVNC_Mirror_DriverPreviousDriverUninstallingSW\{3DD4189B-0CD2-4e46-BEC5-519C96AD3E39IncompatibleDriverInstalled1.8%svncmirror.infCreatingRemoving%s device: VNC Mirror Driver .inf path = %sInstalled version (%s) not older than %s.Installed version (%s) older than %s.No previous version installed.A reboot is required to complete the operation.setDeferredRebootRequired: %sReboot not required.%d\|%d\|%sunexpected: %sAdvancedDocumentationAdvanced\Enter VNC Server License Key.lnkAdvanced\VNC Server (User Mode).lnkUnbudging files to %sMoving '%s' --> '%s'Failed: %sDeleting directory '%s'WinVNC4-startbackupDir is %sCopy file in '%s' --> '%s'Budging files in '%s'Viewer MSI detected%s\%s\%sBacking upMoving%s '%s' --> %s%s\%s\DocumentationDeleting '%s'No files to budge.Uninstall printer driver (InnoSetup)VNCPrinter_is1Clean up printer driver install (%s)Uninstall mirror driver (InnoSetup)VNCMirror_is1nt_amd64\driverinst.exent_x86\driverinst.exeClean up mirror driver install (%s)Delete directory '%s'Starting VNC Server.-showstatusSetting %s to %sSoftware-addFirewallException-service%d\|%d-joincloud-joingroup-joinnamejoinCloud failed (returned %d)No install location?Error: setting %s has no valueADDFIREWALLEXCEPTIONSJOINCLOUDJOINGROUPJOINNAMEPARAMS-createHostIdCreating updateId failed (-createHostId returned %d)%s-cleanupFirewall-cleanupUpdates-cleanupServiceSettingsTest failure triggered.-generatekeys%s%s.exeSetting shortcut property %s on %sCould not set shortcut property %s on %sSetCurrentDirectoryNo directory passed to installPrinterDriverHelper-log=%s%sprinterinst.exe-installReboot required.Error-remove%d,%d,%sAdding to source list %s --> %sMsiSourceListAddSource result %dPackageNameMsiSourceListSetInfo result %dRDP_SESSION_DETECTED-installerSetLicenseValidRegKeysetLicenseValidRegKey exception: %s*:msi:30
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: Names are case-insensitive. Valid parameters are listed below.Missing argument to '%S'.Record events in the format <log>:<target>:<level>[,...].Directory in which to store log output directed to file.File in which to store log output directed to file.Press Enter/Return key to continueRun with -help for usage.String too longThis program is not intended to be run directly.Provide [advanced] usage information.Usage:Argumento incorreto '%S'.ptPar
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: Policy overriding preferencePolicyPreferenceDefaultPriority %d%s=%s (%s)Global-help--help-h/?
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: Policy overriding preferencePolicyPreferenceDefaultPriority %d%s=%s (%s)Global-help--help-h/?
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: , um das Setup-Programm zu beenden.{\WixUI_Font_Bigger}[ProductName]-SetupUserExitDie [ProductName]-Installation wurde unterbrochen. Das System wurde nicht ver
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: %s%s%s%c%sSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallOpenProcessTokenUninstallStringInstallLocationVNC ServerVNC ViewerVNC4\%s\vncviewervncserverRealVNCSoftware\%s\installer\%s%s\%s.exeRealVNCViewer_is1RealVNC_is1Cannot run command. Executable is not set.Running '%s'File does not exist: '%s'/NORESTART/VERYSILENTmsiBackupgetBackupDir: user %s ex %sSoftware\%s\%sbudgeunbudgecleanupbudgeFiles(%s, "%s")*.budged%s\%s%s.budged.dll.exeBudge file '%s' --> '%s'Unbudge file '%s' --> '%s'Delete file '%s'-unregister%s\vncserver-old.exe-stopCannot determine MSI install location.vncchat.exevncclipboard.exevncaddrbook.exevncviewer.exewinvnc4.exedesktop_dupl.dllsaslib.dllvncconfig.exevncservice.exevnckeyhelper.exevncpipehelper.exevnclicensehelper.exeunins000.exeunins000.datvnc-mirror-1_8_0-x86_x64_win32.exevnc-printer-1_7_0-x86_x64_win32.exevnc-printer-1_8_0-x86_x64_win32.exeVNC-Viewer-5.0.7-Windows.exeVNC-Viewer-5.0.6-Windows.exeVNC-Viewer-5.0.5-Windows.exeVNC-Viewer-5.0.4-Windows.exeVNC-Viewer-5.0.3-Windows.exeVNC-Viewer-5.0.2-Windows.exeVNC-Viewer-5.0.1-Windows.exeVNC-Viewer-5.0.0-Windows.exeMirror DriverPrinter DriverSetupCacheLogslogmessages.dllvnclicense.exevnclicensewiz.exevncpasswd.exevncguihelper.exevncagent.exevncserver.exevncserverui.exewm_hooks.dllDeleted '%s'Deleted registry key '%s'Failed to delete registry key '%s'cleanupOldServerInstallFiles() failed: oldInstallDir is not specified.Detected previous InnoSetup installDeleted previous InnoSetup install '%s'Cleanup previous InnoSetup install '%s'Detected previous MSI installDeleted previous MSI install '%s'Cleanup previous MSI install '%s'VNC Address Book.lnkVNC Viewer.lnkAdvanced\Start Listening VNC Viewer.lnkcleanupOldViewerInstallFiles(): MSI install detected.Clean up InnoSetup installer files.Deleted file '%s'Do nothing.Detected previous 5.0.x InnoSetup installDetected previous 4.5/4.6.x InnoSetup install%s\VNC Viewer.lnkvector<T> too longpA
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: %dSOFTWARE\RealVNC\AllUsers01RDPSessionDetectedVNC_Mirror_DriverPreviousDriverUninstallingSW\{3DD4189B-0CD2-4e46-BEC5-519C96AD3E39IncompatibleDriverInstalled1.8%svncmirror.infCreatingRemoving%s device: VNC Mirror Driver .inf path = %sInstalled version (%s) not older than %s.Installed version (%s) older than %s.No previous version installed.A reboot is required to complete the operation.setDeferredRebootRequired: %sReboot not required.%d\|%d\|%sunexpected: %sAdvancedDocumentationAdvanced\Enter VNC Server License Key.lnkAdvanced\VNC Server (User Mode).lnkUnbudging files to %sMoving '%s' --> '%s'Failed: %sDeleting directory '%s'WinVNC4-startbackupDir is %sCopy file in '%s' --> '%s'Budging files in '%s'Viewer MSI detected%s\%s\%sBacking upMoving%s '%s' --> %s%s\%s\DocumentationDeleting '%s'No files to budge.Uninstall printer driver (InnoSetup)VNCPrinter_is1Clean up printer driver install (%s)Uninstall mirror driver (InnoSetup)VNCMirror_is1nt_amd64\driverinst.exent_x86\driverinst.exeClean up mirror driver install (%s)Delete directory '%s'Starting VNC Server.-showstatusSetting %s to %sSoftware-addFirewallException-service%d\|%d-joincloud-joingroup-joinnamejoinCloud failed (returned %d)No install location?Error: setting %s has no valueADDFIREWALLEXCEPTIONSJOINCLOUDJOINGROUPJOINNAMEPARAMS-createHostIdCreating updateId failed (-createHostId returned %d)%s-cleanupFirewall-cleanupUpdates-cleanupServiceSettingsTest failure triggered.-generatekeys%s%s.exeSetting shortcut property %s on %sCould not set shortcut property %s on %sSetCurrentDirectoryNo directory passed to installPrinterDriverHelper-log=%s%sprinterinst.exe-installReboot required.Error-remove%d,%d,%sAdding to source list %s --> %sMsiSourceListAddSource result %dPackageNameMsiSourceListSetInfo result %dRDP_SESSION_DETECTED-installerSetLicenseValidRegKeysetLicenseValidRegKey exception: %s*:msi:30"
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: %dSOFTWARE\RealVNC\AllUsers01RDPSessionDetectedVNC_Mirror_DriverPreviousDriverUninstallingSW\{3DD4189B-0CD2-4e46-BEC5-519C96AD3E39IncompatibleDriverInstalled1.8%svncmirror.infCreatingRemoving%s device: VNC Mirror Driver .inf path = %sInstalled version (%s) not older than %s.Installed version (%s) older than %s.No previous version installed.A reboot is required to complete the operation.setDeferredRebootRequired: %sReboot not required.%d\|%d\|%sunexpected: %sAdvancedDocumentationAdvanced\Enter VNC Server License Key.lnkAdvanced\VNC Server (User Mode).lnkUnbudging files to %sMoving '%s' --> '%s'Failed: %sDeleting directory '%s'WinVNC4-startbackupDir is %sCopy file in '%s' --> '%s'Budging files in '%s'Viewer MSI detected%s\%s\%sBacking upMoving%s '%s' --> %s%s\%s\DocumentationDeleting '%s'No files to budge.Uninstall printer driver (InnoSetup)VNCPrinter_is1Clean up printer driver install (%s)Uninstall mirror driver (InnoSetup)VNCMirror_is1nt_amd64\driverinst.exent_x86\driverinst.exeClean up mirror driver install (%s)Delete directory '%s'Starting VNC Server.-showstatusSetting %s to %sSoftware-addFirewallException-service%d\|%d-joincloud-joingroup-joinnamejoinCloud failed (returned %d)No install location?Error: setting %s has no valueADDFIREWALLEXCEPTIONSJOINCLOUDJOINGROUPJOINNAMEPARAMS-createHostIdCreating updateId failed (-createHostId returned %d)%s-cleanupFirewall-cleanupUpdates-cleanupServiceSettingsTest failure triggered.-generatekeys%s%s.exeSetting shortcut property %s on %sCould not set shortcut property %s on %sSetCurrentDirectoryNo directory passed to installPrinterDriverHelper-log=%s%sprinterinst.exe-installReboot required.Error-remove%d,%d,%sAdding to source list %s --> %sMsiSourceListAddSource result %dPackageNameMsiSourceListSetInfo result %dRDP_SESSION_DETECTED-installerSetLicenseValidRegKeysetLicenseValidRegKey exception: %s*:msi:30"
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: %dSOFTWARE\RealVNC\AllUsers01RDPSessionDetectedVNC_Mirror_DriverPreviousDriverUninstallingSW\{3DD4189B-0CD2-4e46-BEC5-519C96AD3E39IncompatibleDriverInstalled1.8%svncmirror.infCreatingRemoving%s device: VNC Mirror Driver .inf path = %sInstalled version (%s) not older than %s.Installed version (%s) older than %s.No previous version installed.A reboot is required to complete the operation.setDeferredRebootRequired: %sReboot not required.%d\|%d\|%sunexpected: %sAdvancedDocumentationAdvanced\Enter VNC Server License Key.lnkAdvanced\VNC Server (User Mode).lnkUnbudging files to %sMoving '%s' --> '%s'Failed: %sDeleting directory '%s'WinVNC4-startbackupDir is %sCopy file in '%s' --> '%s'Budging files in '%s'Viewer MSI detected%s\%s\%sBacking upMoving%s '%s' --> %s%s\%s\DocumentationDeleting '%s'No files to budge.Uninstall printer driver (InnoSetup)VNCPrinter_is1Clean up printer driver install (%s)Uninstall mirror driver (InnoSetup)VNCMirror_is1nt_amd64\driverinst.exent_x86\driverinst.exeClean up mirror driver install (%s)Delete directory '%s'Starting VNC Server.-showstatusSetting %s to %sSoftware-addFirewallException-service%d\|%d-joincloud-joingroup-joinnamejoinCloud failed (returned %d)No install location?Error: setting %s has no valueADDFIREWALLEXCEPTIONSJOINCLOUDJOINGROUPJOINNAMEPARAMS-createHostIdCreating updateId failed (-createHostId returned %d)%s-cleanupFirewall-cleanupUpdates-cleanupServiceSettingsTest failure triggered.-generatekeys%s%s.exeSetting shortcut property %s on %sCould not set shortcut property %s on %sSetCurrentDirectoryNo directory passed to installPrinterDriverHelper-log=%s%sprinterinst.exe-installReboot required.Error-remove%d,%d,%sAdding to source list %s --> %sMsiSourceListAddSource result %dPackageNameMsiSourceListSetInfo result %dRDP_SESSION_DETECTED-installerSetLicenseValidRegKeysetLicenseValidRegKey exception: %s*:msi:30"
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: InternalNamevncviewer-installerV
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: OriginalFilenamevncviewer-installer.exe*

Source: unknown	Process created: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe "C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe"
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\vnc64.msi ProductLanguage=1033
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 0E7A688FE1F05D12731371BA02BFD3BE E Global\MSI0000
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\vnc64.msi ProductLanguage=1033	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 0E7A688FE1F05D12731371BA02BFD3BE E Global\MSI0000	Jump to behavior

Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: RealVNC Viewer.lnk.2.dr

LNK file: ..\..\..\..\..\..\Program Files\RealVNC\VNC Viewer\vncviewer.exe

Found GUI installer (many successful clicks)

Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe	Automated click: OK
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: I accept the terms in the License Agreement
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC\VNC Viewer	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC\VNC Viewer\SetupCache	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC\VNC Viewer\SetupCache\VNC-Viewer-7.13.1-Windows-64bit.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC\VNC Viewer\logmessages.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC\VNC Viewer\vncviewer.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\RealVNC\VNC Viewer\SetupCache\VNC-Viewer-7.13.1-Windows-64bit.msiKey	Jump to behavior

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}

Jump to behavior

PE / OLE file has a valid certificate

Source: VNC-Viewer-7.13.1-Windows.exe

Static PE information: certificate valid

PE file has a big code size

Source: VNC-Viewer-7.13.1-Windows.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: VNC-Viewer-7.13.1-Windows.exe

Static file information: File size 12649048 > 1048576

PE file has a big raw section

Source: VNC-Viewer-7.13.1-Windows.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x127800
Source: VNC-Viewer-7.13.1-Windows.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xa8e200

PE file contains a mix of data directories often seen in goodware

Source: VNC-Viewer-7.13.1-Windows.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: VNC-Viewer-7.13.1-Windows.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: VNC-Viewer-7.13.1-Windows.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: VNC-Viewer-7.13.1-Windows.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: VNC-Viewer-7.13.1-Windows.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: VNC-Viewer-7.13.1-Windows.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: VNC-Viewer-7.13.1-Windows.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: VNC-Viewer-7.13.1-Windows.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\uica.pdb source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld32\RelWithDebInfo\installhlp.pdbV source: VNC-Viewer-7.13.1-Windows.exe
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld32\RelWithDebInfo\installers\viewer_bootstrap.pdb% source: VNC-Viewer-7.13.1-Windows.exe
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld64\RelWithDebInfo\logmessages.pdb source: logmessages.dll.2.dr
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld64\RelWithDebInfo\installhlp.pdbO source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, 641d67.msi.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld32\RelWithDebInfo\installhlp.pdb source: VNC-Viewer-7.13.1-Windows.exe
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld64\RelWithDebInfo\installhlp.pdb source: VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, 641d67.msi.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld32\RelWithDebInfo\installers\viewer_bootstrap.pdb source: VNC-Viewer-7.13.1-Windows.exe
Source:	Binary string: C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld64\RelWithDebInfo\vncviewer.pdb source: vncviewer.exe.2.dr

PE file contains a valid data directory to section mapping

Source: VNC-Viewer-7.13.1-Windows.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: VNC-Viewer-7.13.1-Windows.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: VNC-Viewer-7.13.1-Windows.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: VNC-Viewer-7.13.1-Windows.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: VNC-Viewer-7.13.1-Windows.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

PE file contains sections with non-standard names

Source: vncviewer.exe.2.dr	Static PE information: section name: .rodata
Source: vncviewer.exe.2.dr	Static PE information: section name: .gehcont
Source: MSI2536.tmp.2.dr	Static PE information: section name: .gehcont

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\RealVNC\VNC Viewer\logmessages.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2536.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\RealVNC\VNC Viewer\vncviewer.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI2536.tmp

Jump to dropped file

Boot Survival

Creates or modifies windows services

Source: C:\Windows\System32\msiexec.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\VNC Viewer

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealVNC			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealVNC\RealVNC Viewer.lnk			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\RealVNC\VNC Viewer\logmessages.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2536.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\RealVNC\VNC Viewer\vncviewer.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe

Code function: 0_2_00B405E7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B405E7

Remote Access Functionality

Contains VNC / remote desktop functionality (version string found)

Source: VNC-Viewer-7.13.1-Windows.exe, 00000000.00000000.1663398272.0000000000C35000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: LANGDESCS.TXTLANGS.TXTVNC32.MSIVNC64.MSI!APP_ICONEnglish
Source: VNC-Viewer-7.13.1-Windows.exe	String found in binary or memory: LANGDESCS.TXTLANGS.TXTVNC32.MSIVNC64.MSI!APP_ICONEnglish

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Command and Scripting Interpreter	11 Windows Service	11 Windows Service	23 Masquerading	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Remote Access Software	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 File Deletion	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
VNC-Viewer-7.13.1-Windows.exe	0%	ReversingLabs
VNC-Viewer-7.13.1-Windows.exe	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files\RealVNC\VNC Viewer\logmessages.dll	0%	ReversingLabs
C:\Program Files\RealVNC\VNC Viewer\vncviewer.exe	0%	ReversingLabs
C:\Windows\Installer\MSI2536.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://help.realvnc.com/hc/en-us/articles/360003474552	0%	Avira URL Cloud	safe
https://help.realvnc.com	0%	Avira URL Cloud	safe
https://www.realvnc.com_ProductUrivncRealVNC.exeLOCAL_APPDATA_COMPANYLOCALAPPDATA	0%	Avira URL Cloud	safe
https://help.realvnc.com/hc/en-us/articles/5438412949405	0%	Avira URL Cloud	safe
https://www.realvnc.com.	0%	Avira URL Cloud	safe
https://help.realvnc.com/hc/en-us/articles/5438412949405.	0%	Avira URL Cloud	safe
https://www.realvnc.com_ProductUrivnc.exeLOCAL_APPDATA_COMPANYLOCALAPPDATA	0%	Avira URL Cloud	safe
https://help.realvnc.com/hc/en-us/articles/360002450292cmisc_secdlg_ard_message_html_fmt#FFFFFF	0%	Avira URL Cloud	safe
https://help.realvnc.com/hc/en-us/articles/360003474552helpConnectingbuttonBgvnc_connect_brandingab_	0%	Avira URL Cloud	safe
https://manage.realvnc.com	0%	Avira URL Cloud	safe
https://help.realvnc.com/hc/en-us/articles/360002450292	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
18.31.95.13.in-addr.arpa	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://help.realvnc.com/hc/en-us/articles/360003474552	vncviewer.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://help.realvnc.com	vncviewer.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://help.realvnc.com/hc/en-us/articles/5438412949405.	641d67.msi.2.dr	false	Avira URL Cloud: safe	unknown
https://www.realvnc.com_ProductUrivncRealVNC.exeLOCAL_APPDATA_COMPANYLOCALAPPDATA	VNC-Viewer-7.13.1-Windows.exe	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org	VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d67.msi.2.dr	false		high
https://help.realvnc.com/hc/en-us/articles/5438412949405	641d67.msi.2.dr	false	Avira URL Cloud: safe	unknown
https://www.realvnc.com.	vncviewer.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://manage.realvnc.com	vncviewer.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://www.realvnc.com	641d67.msi.2.dr, MSI1F97.tmp.2.dr	false		high
https://www.realvnc.com/realvnc	VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr	false		high
https://www.realvnc.com/realvnc-acceptable-use-policy	641d67.msi.2.dr	false		high
https://hb-a.services.vnc.com:443/bootstrap/1.2/configuration	vncviewer.exe.2.dr	false		high
https://help.realvnc.com/hc/en-us/articles/360002450292cmisc_secdlg_ard_message_html_fmt#FFFFFF	vncviewer.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://www.realvnc.com/realvnc-acceptable-use-policy.	641d67.msi.2.dr	false		high
https://www.realvnc.com/realvnc-	641d67.msi.2.dr	false		high
https://www.realvnc.com_ProductUrivnc.exeLOCAL_APPDATA_COMPANYLOCALAPPDATA	vncviewer.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://help.realvnc.com/hc/en-us/articles/360003474552helpConnectingbuttonBgvnc_connect_brandingab_	vncviewer.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://hb-b.services.vnc.com:443/bootstrap/1.2/configuration	vncviewer.exe.2.dr	false		high
https://www.realvnc.help	641d67.msi.2.dr	false		high
https://hb-c.services.vnc.com:443/bootstrap/1.2/configuration	vncviewer.exe.2.dr	false		high
http://www.realvnc.com/	VNC-Viewer-7.13.1-Windows.exe, 641d65.msi.2.dr, 641d66.rbs.2.dr, vncviewer.exe.2.dr, 641d67.msi.2.dr, logmessages.dll.2.dr, MSI2536.tmp.2.dr, MSI1F97.tmp.2.dr	false		high
https://www.realvnc.com/docs/%s/foss.html	VNC-Viewer-7.13.1-Windows.exe, vncviewer.exe.2.dr	false		high
https://www.realvnc.com/docs/%s/foss.htmlC:	VNC-Viewer-7.13.1-Windows.exe, vncviewer.exe.2.dr	false		high
https://help.realvnc.com/hc/en-us/articles/360002450292	vncviewer.exe.2.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582761
Start date and time:	2024-12-31 12:37:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VNC-Viewer-7.13.1-Windows.exe
Detection:	CLEAN
Classification:	clean14.troj.winEXE@6/26@1/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.95.31.18, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target VNC-Viewer-7.13.1-Windows.exe, PID 7288 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Config.Msi\641d66.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1080268
Entropy (8bit):	6.4233999858236945
Encrypted:	false
SSDEEP:	12288:eRW/6as/GL+ERjdY6PbRAITvBgoOhFhmxus6lxDeHmC:eRW/LnS6PFAITvLOhFhmxuVlsHh
MD5:	B5F07C19CAE6873C8DA30DBD55263741
SHA1:	F23E401800F72126A780802A7015C28196671EA4
SHA-256:	05C4B126DBF64E77607378542F45637741CC072A753F82AADB20F200661ABB2B
SHA-512:	5BC85F7113A8EAD741C734570761486E4E940EC5A595E7C0A3EC46DBEF0B837511131583E5E7A5AE685F0F651B5E1A39D6FF1BB5EC422D0065E7B89981D30ED2
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.4.Y.@.....@.....@.....@.....@.....@......&.{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}..RealVNC Viewer 7.13.1..vnc64.msi.@.....@.....@.....@......IconViewer.exe..&.{A35A74E8-60BA-4926-8958-A7F4FC00D471}.....@.....@.....@.....@.......@.....@.....@.......@......RealVNC Viewer 7.13.1......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{6A3407EF-10D7-45C3-8F2A-8B8E0308D3D8}&.{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}.@......&.{07CDFE37-3A74-4A8D-BCC7-80EDBC09B35F}&.{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}.@......&.{0CAA7F8D-06F1-4457-8C2B-4ADD717E00CE}&.{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}.@......&.{7CAFA346-B76A-4C0A-802A-D8F04CB67838}&.{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}.@......&.{B9C7F2CF-70A8-48D8-B5B1-F5832688FE8A}&.{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}.@......&.{7EB5D52F-D616-47A7-95B9-FFF6DD357323}&.{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}.@........ViewerRollbackL...ViewerRollb

C:\Program Files\RealVNC\VNC Viewer\SetupCache\VNC-Viewer-7.13.1-Windows-64bit.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: RealVNC Viewer 7.13.1, Author: RealVNC, Keywords: Installer, Comments: Copyright RealVNC Ltd., Create Time/Date: Fri Dec 6 18:25:12 2024, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 4, Template: x64;1033, Last Saved By: x64;1046, Revision Number: {B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}7.13.1.57;{6610B7B3-026F-4545-B18D-3C2456B6A452}7.13.1.57;{FF5C1C64-EE36-4671-8B8F-4C4944DCC330}, Number of Pages: 200, Number of Characters: 131135
Category:	dropped
Size (bytes):	5881856
Entropy (8bit):	7.751153694881111
Encrypted:	false
SSDEEP:	98304:+7B40tAlGoX6HHM6XrVf+39P2kXke20ApaJXTO0y:E40QEHHM6XrVW3d06JXTO0
MD5:	E98F1BC5D00758BD2655996AB6966017
SHA1:	BC612AD96D167D96ADDAF8F9D2A671B1BB37625A
SHA-256:	EE38CAD804AB9AEFB51A325C3DD9C56DC2C0CD9B73C5B62D2DA207857E343AD0
SHA-512:	836869987A8085ED00AB5D87185D8BAB51AD0825A701AA74D82054AFBF1E03FFA527994AF30C155D5B61CF96CD2750AF437E4E16E8012E74FD86091D2725D43A
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\RealVNC\VNC Viewer\logmessages.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11832
Entropy (8bit):	7.342478585232833
Encrypted:	false
SSDEEP:	192:7VxrTUIYiYF8wE2dWu7iYYGncS35IVnEy2sE9jBF0Nyncm:7VFTUIYiGE2djSGncSJIVE8E9VF0NynZ
MD5:	C3EEC8FAE195194BEFDF1F79E1D6E315
SHA1:	0F612A7F5C0E51700C3995AF21F9C7343B4DA784
SHA-256:	F142ED0DD443DA38A3A14F794D527C902A4BDE4840C1C712F8ABE850FC2E1B5F
SHA-512:	CA87A69190F76D673940F35142B9E3DC73F734C314C16DC079F04EDFAC1F6C8ABFBE0648AE8752688A71956A7AE6AD9FD3F32321C1E6AA2DC75E0AB81E5FC223
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R.......R...P...R.Rich..R.PE..d....=Sg.........." .........................................................0......S.....`.......................................................... ..@...............8(..............T............................................................................rdata..P...........................@..@.rsrc...@.... ......................@..@.....=Sg............T...T........=Sg.........................=Sg........T...........RSDS?.V...B.>.7.W.....C:\ent-slave-root\workspace\VNCConnect\Builds\Clients\VNC_7.13.x\label\con-windows-64\bld64\RelWithDebInfo\logmessages.pdb..............................T....rdata..T........rdata$zzzdbg.... ..`....rsrc$01....` .......rsrc$02............................................................................................................................................................

C:\Program Files\RealVNC\VNC Viewer\vncviewer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11854392
Entropy (8bit):	6.6161259716455145
Encrypted:	false
SSDEEP:	196608:MgeU7/EXTYyOC41lI75T5WeE5PC9OE5vQ4js:M3DTxZrT5WeEM9OE5vQd
MD5:	6BE480D72937C6D4802556F5F3390858
SHA1:	249E5E9AFBF470E782E04BF295460B4B842EA81C
SHA-256:	F677C36D366A74E6391227D494615B17A2942B111CE9BDB7543397357B14F482
SHA-512:	6A0169DFE86422A8C7169B77AA59BBE0CE18D27BDE0EA09155FB6E258A5D012D57B692A827D323808DE1F8845D1EC2A84C6F08D2B97114C8A358A0682E81E87C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......mu..)..H)..H)..H=..I<..H=..I...H..nH...H{\|.I;..H{\|.I#..H=..I(..H=..I7..H=..I+..H{\|.I...H.}.IJ..H)..Hm..H=..I0..H)..H...H.}.Iw..H.}VH(..H).>H/..H.}.I(..HRich)..H................PE..d....?Sg.........."......`r..VB.....p.e........@............................. ............`.....................................................................`v......8(...P..........T.....................(....................pr.............................text...._r......`r................. ..`.rdata....,..pr...,..dr.............@..@.data........0....... ..............@....pdata..`v.......x.................@..@.rodata..............:..............@..@.gehcont(............D..............@..@.rsrc................F..............@..@.reloc.......P......................@..B................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealVNC\RealVNC Viewer.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Dec 6 22:20:02 2024, mtime=Tue Dec 31 10:38:51 2024, atime=Fri Dec 6 22:20:02 2024, length=11854392, window=hide
Category:	dropped
Size (bytes):	1127
Entropy (8bit):	4.58078586193274
Encrypted:	false
SSDEEP:	12:8mtIMtYXv21h9G+dpF4e/vN/GvaKHaRqijA2vHDZbdph3gaQHbdph3ga61NJjLih:8m2GDd5NOFeAaHDldv3C7dv3sJHiyfm
MD5:	D7DFC3CBA3F6DB83E6FB3ECC87802C40
SHA1:	4B6F10E43F9977FB4BE7E727A839B990FD6289B9
SHA-256:	DFE0835DEA4DF6448AA6E304F7C33B972773A46C7F63ABA0DC41497574AB8077
SHA-512:	775969F68D82A7FE9EA84EC51449E0F40385611F4B1DDE3ADDC16F8C71C60DE9B8141572B9AF2C403A1EA6F2E401FCE14878E59842537B36D586AEEA246BEE88
Malicious:	false
Reputation:	low
Preview:	L..................F.... ......`5H..xBz.x[.....`5H..8...........................P.O. .:i.....+00.../C:\.....................1......Y.\..PROGRA~1..t......O.I.Y.\....B...............J.....?.`.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....V.1......Y.\..RealVNC.@......Y.\.Y.\..........................?.`.R.e.a.l.V.N.C.....^.1......Y.\..VNCVIE~1..F......Y.\.Y.\...........................XK.V.N.C. .V.i.e.w.e.r.....h.2.8...Y.. .VNCVIE~1.EXE..L......Y...Y.\...._.........................v.n.c.v.i.e.w.e.r...e.x.e.......`...............-......._....................C:\Program Files\RealVNC\VNC Viewer\vncviewer.exe..@.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.R.e.a.l.V.N.C.\.V.N.C. .V.i.e.w.e.r.\.v.n.c.v.i.e.w.e.r...e.x.e.$.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.R.e.a.l.V.N.C.\.V.N.C. .V.i.e.w.e.r.\.........&................c^...NI..e.2.......`.......X.......888683...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..............A..

C:\Users\user\AppData\Local\Temp\vnc64.msi

Download File

Process:	C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: RealVNC Viewer 7.13.1, Author: RealVNC, Keywords: Installer, Comments: Copyright RealVNC Ltd., Create Time/Date: Fri Dec 6 18:25:12 2024, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 4, Template: x64;1033, Last Saved By: x64;1046, Revision Number: {B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}7.13.1.57;{6610B7B3-026F-4545-B18D-3C2456B6A452}7.13.1.57;{FF5C1C64-EE36-4671-8B8F-4C4944DCC330}, Number of Pages: 200, Number of Characters: 131135
Category:	dropped
Size (bytes):	5881856
Entropy (8bit):	7.751153694881111
Encrypted:	false
SSDEEP:	98304:+7B40tAlGoX6HHM6XrVf+39P2kXke20ApaJXTO0y:E40QEHHM6XrVW3d06JXTO0
MD5:	E98F1BC5D00758BD2655996AB6966017
SHA1:	BC612AD96D167D96ADDAF8F9D2A671B1BB37625A
SHA-256:	EE38CAD804AB9AEFB51A325C3DD9C56DC2C0CD9B73C5B62D2DA207857E343AD0
SHA-512:	836869987A8085ED00AB5D87185D8BAB51AD0825A701AA74D82054AFBF1E03FFA527994AF30C155D5B61CF96CD2750AF437E4E16E8012E74FD86091D2725D43A
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\641d65.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: RealVNC Viewer 7.13.1, Author: RealVNC, Keywords: Installer, Comments: Copyright RealVNC Ltd., Create Time/Date: Fri Dec 6 18:25:12 2024, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 4, Template: x64;1033, Last Saved By: x64;1046, Revision Number: {B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}7.13.1.57;{6610B7B3-026F-4545-B18D-3C2456B6A452}7.13.1.57;{FF5C1C64-EE36-4671-8B8F-4C4944DCC330}, Number of Pages: 200, Number of Characters: 131135
Category:	dropped
Size (bytes):	5881856
Entropy (8bit):	7.751153694881111
Encrypted:	false
SSDEEP:	98304:+7B40tAlGoX6HHM6XrVf+39P2kXke20ApaJXTO0y:E40QEHHM6XrVW3d06JXTO0
MD5:	E98F1BC5D00758BD2655996AB6966017
SHA1:	BC612AD96D167D96ADDAF8F9D2A671B1BB37625A
SHA-256:	EE38CAD804AB9AEFB51A325C3DD9C56DC2C0CD9B73C5B62D2DA207857E343AD0
SHA-512:	836869987A8085ED00AB5D87185D8BAB51AD0825A701AA74D82054AFBF1E03FFA527994AF30C155D5B61CF96CD2750AF437E4E16E8012E74FD86091D2725D43A
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\641d67.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: RealVNC Viewer 7.13.1, Author: RealVNC, Keywords: Installer, Comments: Copyright RealVNC Ltd., Create Time/Date: Fri Dec 6 18:25:12 2024, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 4, Template: x64;1033, Last Saved By: x64;1046, Revision Number: {B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}7.13.1.57;{6610B7B3-026F-4545-B18D-3C2456B6A452}7.13.1.57;{FF5C1C64-EE36-4671-8B8F-4C4944DCC330}, Number of Pages: 200, Number of Characters: 131135
Category:	dropped
Size (bytes):	5881856
Entropy (8bit):	7.751153694881111
Encrypted:	false
SSDEEP:	98304:+7B40tAlGoX6HHM6XrVf+39P2kXke20ApaJXTO0y:E40QEHHM6XrVW3d06JXTO0
MD5:	E98F1BC5D00758BD2655996AB6966017
SHA1:	BC612AD96D167D96ADDAF8F9D2A671B1BB37625A
SHA-256:	EE38CAD804AB9AEFB51A325C3DD9C56DC2C0CD9B73C5B62D2DA207857E343AD0
SHA-512:	836869987A8085ED00AB5D87185D8BAB51AD0825A701AA74D82054AFBF1E03FFA527994AF30C155D5B61CF96CD2750AF437E4E16E8012E74FD86091D2725D43A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1F97.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2181178
Entropy (8bit):	6.435596287219212
Encrypted:	false
SSDEEP:	49152:7DRPFAITjOlmxuVlsEWDRPFAITjOlmxuVlsR:7dXTO0hdXTO0x
MD5:	27D3751B3156A6B796C3CD4DAA9FEA12
SHA1:	97E54A9BFFDCEA1C4C3648C7FE0762D80B0E7B0A
SHA-256:	FCCE021853EB874C62A57B345CDCCD49EB92064D692FA3F5F340BF6E48CF0F97
SHA-512:	F308C29CC5F2D0CFD7906C35962BC3938DE899F222E73E407FFF61073F67A84DBBA58554ED882BFC6CC1985CD50B516C0C9C4C1CEB9F1FF0AC892A6257AC6E99
Malicious:	false
Preview:	...@IXOS.@.....@.4.Y.@.....@.....@.....@.....@.....@......&.{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}..RealVNC Viewer 7.13.1..vnc64.msi.@.....@.....@.....@......IconViewer.exe..&.{A35A74E8-60BA-4926-8958-A7F4FC00D471}.....@.....@.....@.....@.......@.....@.....@.......@......RealVNC Viewer 7.13.1......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{258EE0FE-2EB7-408A-9845-CC00DBA64062}&.{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}..&.{258EE0FE-2EB7-408A-9845-CC00DBA64062}...@.....@.......@.....@.....@.]....&.{6A3407EF-10D7-45C3-8F2A-8B8E0308D3D8}U.C:\Program Files\RealVNC\VNC Viewer\SetupCache\VNC-Viewer-7.13.1-Windows-64bit.msiKey.@.......@.....@.....@......&.{07CDFE37-3A74-4A8D-BCC7-80EDBC09B35F}1.C:\Program Files\RealVNC\VNC Viewer\vncviewer.exe.@.......@.....@.....@......&.{0CAA7F8D-06F1-4457-8C2B-4ADD717E00CE}8.22:\Software\RealVNC\installer\vncviewer\InstallL

C:\Windows\Installer\MSI2536.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1069112
Entropy (8bit):	6.416783103293425
Encrypted:	false
SSDEEP:	12288:ARW/6as/GL+ERjdY6PbRAITvBgoOhFhmxus6lxDeHm3:ARW/LnS6PFAITvLOhFhmxuVlsHq
MD5:	75E4D53A3CE45B590A2C43F5A7135424
SHA1:	F1D734A6AAE1084CB079C3A2A369A70E04265F60
SHA-256:	5F240831611F23CDEDAEDA015A630CACBCF187DD44CC2A2A8A63FCA2133A3A3B
SHA-512:	A7FA47F2D101C6386BCE91301206ED1A76E3C687F5FCD750CE2CD2403EC99ADAB395F498514389F6F66AB51B6BEA8F2281B07D51BC7F4F540D6CCC18D0FDD857
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!..me.>e.>e.>q..?c.>q..?..>.gz>a.>7..?j.>7..?m.>7..?M.>q..?t.>q..?d.>q..?r.>e.>..>...?d.>...?:.>...?d.>..B>d.>...?d.>Riche.>........PE..d....=Sg.........." .........F.......9...............................................P....`..........................................B.......F......................(..8(..........0l..T....................m..(....l............... ...............................text............................... ..`.rdata...B... ...D..................@..@.data...,G...p.......P..............@....pdata..............n..............@..@.gehcont ....p......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Windows\Installer\SourceHash{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1628588732454037
Encrypted:	false
SSDEEP:	12:JSbX72FjzAGiLIlHVRpMh/7777777777777777777777777vDHFBYRLrIip3Xl0G:JhQI5cH8/IY6F
MD5:	CFFCD6DBE4AEA6156E82B0D586FA1693
SHA1:	95657FD6054C952D64AAB560BBEB760F16B4E7E7
SHA-256:	B6D9FADDB2330368AE9D98D632325D5B30620A5A6631D0121CB48B8EEE6F2646
SHA-512:	2AB4F517140498B381924BD4F04DB4D76B501ED95602C9A6A78AB8C79285009B049379138BA8F87E2066E890039A79F64816CD858453E120EDAA8735389C5095
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5443141593024903
Encrypted:	false
SSDEEP:	48:C8PhKuRc06WXJInT5j9kX5d/kbNd7Syo5xMd/Ad7SIaG5:thK1rnTsXL0zU3
MD5:	CD9694BC3C024CD9EDFACDDF4ACEBE20
SHA1:	BBD4A68B7FFD178D90D82455449E793BF4BED83C
SHA-256:	CD6CCFECF5AE8F03EC3D18DB2F55DF64BFF65EAACCD238544E9B1D517B1826D6
SHA-512:	A6E997F716E3B2F477D734C11B744113B96CDC55403516604ADF979D48463FDEFA28583B7B37FB6C4C43453CF8FC10668502D0BBACD20619B2E837E7E78A1F07
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}\IconViewer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 9 icons, 16x16, 8 bits/pixel, 32x32, 8 bits/pixel
Category:	dropped
Size (bytes):	37521
Entropy (8bit):	5.773492584241999
Encrypted:	false
SSDEEP:	384:umyzlsIPkVXmyrvAXNRoCFwVcYtqZ6ehI7aJrfDSRi2Ze8CDQRXxmSpaQSeOjE/1:Uzjaz2Prw2YtqrhI6SRiOdCcRnpyc3dH
MD5:	BF9D3B025D116AB0B9512FF5E3C0BED3
SHA1:	07E6982C79148F3B3D938C571E2452C4B69BBD71
SHA-256:	668C44FECA49CE78EC85BEDFABD59C12D585AE4DD145A9B5900B4F75DA382563
SHA-512:	F2A9890561AA3D3AB22E0CF0982899E9C77878237CF1BE4EACD79C1FDA9AF7555E453CA7B0947CE24CAB819F4DA9F4E5AA546E21595ABCFBC9B6B6EB03280E5E
Malicious:	false
Preview:	..............h....... ..............00.................... .h...N......... ......!........ .....n(.. .... ......1..00.... ..%...B........ .K*..Fh..(....... .....................................]...M...x..%...k.......C..#..........&...a.......A...\|...D.........G...7..'.........e...U.....................H...........K...;...f...V...N...>...i...Y.......1......l.......<...w..$.....'......}......................5..%...p.......`...8.....(...c...S......~..........F...6.......9...t...d......<......W.......j..........J...:......"..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375175340972947
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauN:zTtbmkExhMJCIpErY
MD5:	993C8D0AAB968AF7C7A66A5C406D6E05
SHA1:	0D7D269828E6F182016D4BE4A1E47BC232C3FBE3
SHA-256:	7CD263864FBBBFFFB589B75C6728DD03CEAD937F8D2BF8438823CDF279A97FDC
SHA-512:	63C36A50214FC505799F1F63797E33B955AA0165278BA8005976E273797E54DD638BF6526D9F5654661678CCEA909071E7D743E58F7E26177913E0412EE37DBD
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF00107B2572345DD8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF0EA4C211AF8CFFE2.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06944217368644955
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO8P6YRvzV5IhyVky6l3X:2F0i8n0itFzDHFBYRLrIX3X
MD5:	D0F281F7E22B3F7AAAFE5CFC32888F01
SHA1:	094815A816C5112D4D713C7D892089E25126C154
SHA-256:	A71C168A85793CB6DCD44C1F85414535E099FFAC6AFD79EE97685877E93EC06B
SHA-512:	BFAF3B5F6EA4C002DF0C52B1599A75CD048CA2E645E5B1ADC4FD57FD6EDF0CA3E57FF191CB9781975BAB38D17DE14A273827CC31164BD246E0DA9291AFAD22F3
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1013DAC2C898AD30.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5443141593024903
Encrypted:	false
SSDEEP:	48:C8PhKuRc06WXJInT5j9kX5d/kbNd7Syo5xMd/Ad7SIaG5:thK1rnTsXL0zU3
MD5:	CD9694BC3C024CD9EDFACDDF4ACEBE20
SHA1:	BBD4A68B7FFD178D90D82455449E793BF4BED83C
SHA-256:	CD6CCFECF5AE8F03EC3D18DB2F55DF64BFF65EAACCD238544E9B1D517B1826D6
SHA-512:	A6E997F716E3B2F477D734C11B744113B96CDC55403516604ADF979D48463FDEFA28583B7B37FB6C4C43453CF8FC10668502D0BBACD20619B2E837E7E78A1F07
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1A73933CECF53520.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2377439036187767
Encrypted:	false
SSDEEP:	48:YbCukNveFXJvT589kX5d/kbNd7Syo5xMd/Ad7SIaG5:6CuHTBXL0zU3
MD5:	3D390C9321759CF9383AE3C5E51E707C
SHA1:	0C8366BFA6A4CF05FA7578002D957CAFD17CBEBD
SHA-256:	7C9B0557DA0BA1BC68716521E440F8FD3B277684B394A933EB59FFB16CB71BEB
SHA-512:	A8593F4970B111EE81FFFD6130EF94A6199192133711E98A21477617BB6B93EDA24EDC363B60A181D474EB07259F0869AA8D6E457DC16C7C2798096363557D45
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF25EE24F5B94D517E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5443141593024903
Encrypted:	false
SSDEEP:	48:C8PhKuRc06WXJInT5j9kX5d/kbNd7Syo5xMd/Ad7SIaG5:thK1rnTsXL0zU3
MD5:	CD9694BC3C024CD9EDFACDDF4ACEBE20
SHA1:	BBD4A68B7FFD178D90D82455449E793BF4BED83C
SHA-256:	CD6CCFECF5AE8F03EC3D18DB2F55DF64BFF65EAACCD238544E9B1D517B1826D6
SHA-512:	A6E997F716E3B2F477D734C11B744113B96CDC55403516604ADF979D48463FDEFA28583B7B37FB6C4C43453CF8FC10668502D0BBACD20619B2E837E7E78A1F07
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF32DDACCC6613036C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7F37CD12B517E6BE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2377439036187767
Encrypted:	false
SSDEEP:	48:YbCukNveFXJvT589kX5d/kbNd7Syo5xMd/Ad7SIaG5:6CuHTBXL0zU3
MD5:	3D390C9321759CF9383AE3C5E51E707C
SHA1:	0C8366BFA6A4CF05FA7578002D957CAFD17CBEBD
SHA-256:	7C9B0557DA0BA1BC68716521E440F8FD3B277684B394A933EB59FFB16CB71BEB
SHA-512:	A8593F4970B111EE81FFFD6130EF94A6199192133711E98A21477617BB6B93EDA24EDC363B60A181D474EB07259F0869AA8D6E457DC16C7C2798096363557D45
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF891DE6E9987873D0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF96A0444AAE9B7BFD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.134836293897516
Encrypted:	false
SSDEEP:	24:NdjI5Vex9a+dv3J+dvzipVc+dv3ROKOeln+dvzipV5GV2BwGkMKSxkJ0+09k:NG5uFd/Ad7SFd/kbNd7Syo5xD59k
MD5:	8B6088E004F42D877B323CDA25B87E3D
SHA1:	760FDBD90357D95D3E5FB0C18351302D2E53501A
SHA-256:	AE512005B1C1884177ACBE441F6D615CB3D9D00112172E7B1692DA5555BD6B14
SHA-512:	344D48ECF2DC56D97F5E5C3CBFDCDD2E7717ABD5A5038CA04574AE85EA392EB7113BB77A4DA5EDDD32B63650F02A24524939F991CE3FEC6FC3F0E785B465B297
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB44F0FD0DEBCE40A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCB0CA5F2AE36F4A4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF59DD28EB3C273D8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2377439036187767
Encrypted:	false
SSDEEP:	48:YbCukNveFXJvT589kX5d/kbNd7Syo5xMd/Ad7SIaG5:6CuHTBXL0zU3
MD5:	3D390C9321759CF9383AE3C5E51E707C
SHA1:	0C8366BFA6A4CF05FA7578002D957CAFD17CBEBD
SHA-256:	7C9B0557DA0BA1BC68716521E440F8FD3B277684B394A933EB59FFB16CB71BEB
SHA-512:	A8593F4970B111EE81FFFD6130EF94A6199192133711E98A21477617BB6B93EDA24EDC363B60A181D474EB07259F0869AA8D6E457DC16C7C2798096363557D45
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.6843062213820605
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	VNC-Viewer-7.13.1-Windows.exe
File size:	12'649'048 bytes
MD5:	3bf82674647a748a4036984c7c56521b
SHA1:	9c948a237542bc26a5d9b711de2ffe4c9d88cc7b
SHA256:	7cb888c789083eac23e16b061cee49aea14bbe14e7a784fb0fca5ce0c23ed429
SHA512:	0e281a4c47e862b6833c91688afcc046b295a5e2575ea653bc00e0401e85a6df93f5358bb03beb486f2662448f6a2888304a9538c608ce548ed89dda14715bba
SSDEEP:	196608:i/GRq4SpqCYqD8iN9v40QEHHM6XrVW3d06JXTO0fG:i/GRHbCKk9w0QEM67V96JXTzfG
TLSH:	DCD602113A848136DB9B21788925CBB791B8EC111BF081E7F3CC67ED2F396D06E39656
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......../.B\N..\N..\N..H%..RN..H%...N......XN...&..ON...&..EN..H%..@N..H%..^N..H%..ON..\N...O...&..mN...'..FN...'...N...'%.]N..\NM.]N.

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x47f26a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67533AD5 [Fri Dec 6 17:56:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	425a93f0bf37ad9c39ca7d12aa5f118e

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	24/10/2023 01:00:00 31/10/2026 23:59:59
Subject Chain	CN=RealVNC Ltd, O=RealVNC Ltd, L=Cambridge, C=GB
Version:	3
Thumbprint MD5:	FBDE3B89DFF5AC59AD2734568D4D9DB9
Thumbprint SHA-1:	787E284FC93F1F03001F0F9F54467D580B7B7B57
Thumbprint SHA-256:	048786503FE009BD0C8EC0AC7A79E9C35509B7854E19237060E1AB027A3F3B1E
Serial:	0486FFB0200B731EABB141AEA92D65F3

Entrypoint Preview

Instruction
call 00007F2D48EE0D1Ah
jmp 00007F2D48EDF77Ah
push ebp
mov ebp, esp
jmp 00007F2D48EDF95Fh
push dword ptr [ebp+08h]
call 00007F2D48F10CA2h
pop ecx
test eax, eax
je 00007F2D48EDF961h
push dword ptr [ebp+08h]
call 00007F2D48EFE31Dh
pop ecx
test eax, eax
je 00007F2D48EDF938h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F2D48EE1144h
jmp 00007F2D48EE1121h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F2D48EE1150h
pop ecx
pop ebp
ret
jmp 00007F2D48EE1148h
push ebp
mov ebp, esp
mov eax, dword ptr [0056D36Ch]
mov ecx, eax
xor eax, dword ptr [ebp+08h]
and ecx, 1Fh
ror eax, cl
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [0056D36Ch]
and eax, 1Fh
push 00000020h
pop ecx
sub ecx, eax
mov eax, dword ptr [ebp+08h]
ror eax, cl
xor eax, dword ptr [0056D36Ch]
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+0Ch]
ror eax, cl
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F2D48EDF96Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F2D48EDF95Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F2D48EDF95Eh
add edx, 28h
cmp edx, esi
jne 00007F2D48EDF93Ch
xor eax, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x169ca4	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x175000	0xa8e164	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc0da00	0x2858	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc04000	0xfb24	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x150930	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x150984	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x150708	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x129000	0x68c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x169bec	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12771a	0x127800	883cc573b5aeea0f79ec694819c0c6ee	False	0.45885218379864634	data	6.5827432079045956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x129000	0x43004	0x43200	50be3240e488cf8c75f943e73ba8c53d	False	0.40827950418994413	data	5.558732296768569	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x16d000	0x7094	0x4e00	b2edd599c444e03d3cb72bf497abd6e4	False	0.3395432692307692	data	4.721121996042952	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x175000	0xa8e164	0xa8e200	d346db390d354256b772401c20848b8c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc04000	0xfb24	0xfc00	1f26ad6a092dd18d8dcd144cb645558c	False	0.6473369295634921	data	6.677038746353799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
BUILTINRESOURCE	0x175324	0x37	Unicode text, UTF-8 text	English	United States	1.1454545454545455
BUILTINRESOURCE	0x17535c	0xe	ASCII text, with no line terminators	English	United States	1.5714285714285714
BUILTINRESOURCE	0x17536c	0x4f0000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: RealVNC Viewer 7.13.1, Author: RealVNC, Keywords: Installer, Comments: Copyright RealVNC Ltd., Create Time/Date: Fri Dec 6 18:23:50 2024, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 4, Template: Intel;1033, Last Saved By: Intel;1046, Revision Number: {85666D3B-1E5A-422B-9E9A-404B76A88E75}7.13.1.57;{A7D490EB-C449-4177-BFAC-38403A54CA41}7.13.1.57;{FF5C1C64-EE36-4671-8B8F-4C4944DCC330}, Number of Pages: 200, Number of Characters: 131135			0.987706184387207
BUILTINRESOURCE	0x66536c	0x59c000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: RealVNC Viewer 7.13.1, Author: RealVNC, Keywords: Installer, Comments: Copyright RealVNC Ltd., Create Time/Date: Fri Dec 6 18:25:12 2024, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 4, Template: x64;1033, Last Saved By: x64;1046, Revision Number: {B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}7.13.1.57;{6610B7B3-026F-4545-B18D-3C2456B6A452}7.13.1.57;{FF5C1C64-EE36-4671-8B8F-4C4944DCC330}, Number of Pages: 200, Number of Characters: 131135			0.9876852035522461
RT_ICON	0xc0136c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5675675675675675
RT_ICON	0xc01494	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4486994219653179
RT_ICON	0xc019fc	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4637096774193548
RT_ICON	0xc01ce4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3935018050541516
RT_GROUP_ICON	0xc0258c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0xc025cc	0x508	data	English	United States	0.4045031055900621
RT_MANIFEST	0xc02ad4	0x68e	exported SGML document, ASCII text	English	United States	0.3802145411203814

Imports

DLL	Import
WS2_32.dll	WSAEnumNetworkEvents, WSAEventSelect, WSAIoctl, accept, bind, closesocket, ioctlsocket, getsockopt, setsockopt, socket, htons, WSAStartup, WSASetLastError, getservbyname, getservbyport, gethostbyname, gethostbyaddr, ntohs, ntohl, inet_ntoa, inet_addr, WSAGetLastError, htonl, getsockname, getpeername, WSASocketW, WSADuplicateSocketW, WSAConnect
COMCTL32.dll	_TrackMouseEvent, InitCommonControlsEx, ImageList_Destroy, ImageList_Create, ImageList_ReplaceIcon, ImageList_Add
KERNEL32.dll	GetProcAddress, LoadLibraryW, WaitForSingleObject, GetExitCodeProcess, ResetEvent, CreateEventW, GetComputerNameW, QueryPerformanceCounter, QueryPerformanceFrequency, Sleep, GetSystemTimeAsFileTime, GetModuleHandleW, ExpandEnvironmentStringsW, SetEvent, RtlCaptureStackBackTrace, GetModuleHandleExW, GetStdHandle, GetFileType, AllocConsole, FreeConsole, GetConsoleMode, ReadConsoleW, WriteConsoleW, WaitForMultipleObjects, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, GetHandleInformation, SetHandleInformation, GetTimeFormatW, GetDateFormatW, GetSystemDirectoryA, LoadLibraryA, GetVersionExW, GlobalLock, GlobalAlloc, GlobalFree, GlobalSize, HeapSize, GetProcessHeap, GetStringTypeW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, DecodePointer, HeapReAlloc, SetEnvironmentVariableW, GetFileSizeEx, FlushFileBuffers, SetConsoleCtrlHandler, GetConsoleOutputCP, SetFilePointerEx, EnumSystemLocalesW, IsValidLocale, LCMapStringW, CompareStringW, HeapFree, HeapAlloc, GetCurrentThread, DuplicateHandle, WriteFile, ExitProcess, ReadFile, LoadLibraryExW, EncodePointer, InterlockedFlushSList, InterlockedPushEntrySList, RtlUnwind, RaiseException, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, GetCurrentThreadId, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, WaitForSingleObjectEx, InitializeCriticalSectionAndSpinCount, ReOpenFile, LocalAlloc, MultiByteToWideChar, SetErrorMode, FindNextFileW, FindFirstFileW, FindClose, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, QueryFullProcessImageNameW, GetModuleFileNameW, CreateFileW, SearchPathW, LoadLibraryExA, OutputDebugStringW, GetCurrentProcess, GetCurrentProcessId, SetStdHandle, FindResourceW, SizeofResource, LockResource, LoadResource, GetUserDefaultLCID, GetLocaleInfoW, CreateProcessW, GetCommandLineW, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, GetSystemInfo, WideCharToMultiByte, GetTempPathW, MoveFileW, LocalFree, SetLastError, SetFilePointer, SetEndOfFile, RemoveDirectoryW, GetFileAttributesExW, GetFileAttributesW, DeleteFileW, CreateDirectoryW, GetCurrentDirectoryW, SetCurrentDirectoryW, FormatMessageW, FreeLibrary, GetSystemDirectoryW, GetProcessId, GetLastError, CloseHandle, ConnectNamedPipe, CreateNamedPipeW, GetOverlappedResult, CancelIo, OpenProcess, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, CreateThread, TerminateThread, ResumeThread, GetThreadTimes, VirtualProtect, VirtualQuery, GlobalUnlock
USER32.dll	EnumDisplaySettingsW, ChangeDisplaySettingsExW, GetNextDlgTabItem, ScrollWindowEx, RedrawWindow, KillTimer, SetTimer, DefDlgProcW, IsIconic, DestroyWindow, CreateWindowExW, ScreenToClient, RegisterClipboardFormatW, DefWindowProcW, IsWindowVisible, GetMessagePos, GetDoubleClickTime, CreateMenu, SetMenu, SetMenuDefaultItem, SetMenuItemInfoW, InsertMenuItemW, TrackPopupMenu, DeleteMenu, GetMenuItemCount, CheckMenuItem, DestroyMenu, CreatePopupMenu, GetMenuState, GetKeyboardLayout, GetWindowThreadProcessId, GetOpenClipboardWindow, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, IsDialogMessageW, DestroyIcon, EnumChildWindows, SetWindowTextW, GetDlgItem, EndDialog, DialogBoxParamW, CreateDialogParamW, SetParent, GetClassNameW, IsWindowEnabled, PostMessageW, GetCursor, GetScrollInfo, SetScrollInfo, OffsetRect, AdjustWindowRectEx, GetCursorPos, InvalidateRect, GetWindowTextLengthW, GetWindowTextW, GetClipboardData, LoadIconW, GetDesktopWindow, SetWindowLongW, MapWindowPoints, ClientToScreen, GetWindowRect, EndPaint, BeginPaint, SetForegroundWindow, GetForegroundWindow, EnableMenuItem, GetSystemMenu, EnableWindow, ReleaseCapture, SetCapture, GetKeyState, GetDlgCtrlID, GetWindowPlacement, SetWindowPos, ShowWindow, IsChild, GetMessageW, GetComboBoxInfo, GetWindowDC, GetAncestor, SystemParametersInfoW, GetWindowLongW, InflateRect, FrameRect, FillRect, DrawFocusRect, GetSysColorBrush, GetSysColor, SetCursor, GetClientRect, DrawTextW, GetFocus, SendMessageW, DrawFrameControl, SetFocus, LoadCursorW, MsgWaitForMultipleObjects, PeekMessageW, GetSystemMetrics, ReleaseDC, GetDC, DispatchMessageW, TranslateMessage, MonitorFromRect, MonitorFromWindow, GetMonitorInfoW, EnumDisplayMonitors, ToUnicodeEx, GetKeyboardLayoutList, GetAsyncKeyState, ToAsciiEx, VkKeyScanExA, VkKeyScanExW, keybd_event, MapVirtualKeyW, SetWindowsHookExW, UnhookWindowsHookEx, CallNextHookEx, WindowFromPoint, CreateIconIndirect, GetParent, CallWindowProcW, UnregisterClassW, RegisterClassExW
GDI32.dll	GetDeviceCaps, GetStockObject, SelectObject, SetBkMode, SetTextColor, GetCharWidthW, CreateSolidBrush, DeleteObject, CreatePen, LineTo, PatBlt, SetBkColor, CreateCompatibleBitmap, DeleteDC, GetPixel, BitBlt, CreateCompatibleDC, CreateDCW, GetClipBox, StretchBlt, SetWindowOrgEx, CreateBitmap, GdiAlphaBlend, CreateDIBSection, SetDIBColorTable, CreateFontIndirectW, GetTextExtentPoint32W, SetMapMode, GetDIBits, GetObjectW, MoveToEx, GetTextMetricsW, ExcludeClipRect
SHELL32.dll	ShellExecuteW, SHGetKnownFolderPath, SHGetFileInfoW, SHFileOperationW
ole32.dll	CoCreateInstance, CoUninitialize, CoInitializeEx, CoTaskMemFree, OleInitialize, RegisterDragDrop, DoDragDrop, ReleaseStgMedium, CoTaskMemAlloc, CoTaskMemRealloc, CoMarshalInterThreadInterfaceInStream, CoGetInterfaceAndReleaseStream, OleUninitialize
OLEAUT32.dll	SysAllocString, SysFreeString
ADVAPI32.dll	GetUserNameW, RegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegNotifyChangeKeyValue, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyExW, RegCreateKeyExW, RegCloseKey, CreateProcessWithLogonW, LogonUserW, SetSecurityInfo, SetNamedSecurityInfoW, GetSecurityInfo, GetNamedSecurityInfoW, SetSecurityDescriptorSacl, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, SetSecurityDescriptorControl, MakeSelfRelativeSD, MakeAbsoluteSD, InitializeSecurityDescriptor, GetSecurityDescriptorLength, GetSecurityDescriptorControl, SetEntriesInAclW, InitializeAcl, GetAclInformation, ConvertStringSidToSidW, ConvertSidToStringSidW, LookupAccountNameW, LookupAccountSidW, IsValidSid, GetTokenInformation, GetSidIdentifierAuthority, CreateProcessAsUserW, OpenProcessToken, AllocateAndInitializeSid, CopySid, EqualSid, FreeSid, GetLengthSid

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 12:38:46.748182058 CET	55689	53	192.168.2.4	1.1.1.1
Dec 31, 2024 12:38:46.753035069 CET	53	55689	1.1.1.1	192.168.2.4
Dec 31, 2024 12:38:46.753106117 CET	55689	53	192.168.2.4	1.1.1.1
Dec 31, 2024 12:38:46.757975101 CET	53	55689	1.1.1.1	192.168.2.4
Dec 31, 2024 12:38:47.198360920 CET	55689	53	192.168.2.4	1.1.1.1
Dec 31, 2024 12:38:47.203403950 CET	53	55689	1.1.1.1	192.168.2.4
Dec 31, 2024 12:38:47.203752041 CET	55689	53	192.168.2.4	1.1.1.1
Dec 31, 2024 12:39:01.342103958 CET	64609	53	192.168.2.4	162.159.36.2
Dec 31, 2024 12:39:01.346983910 CET	53	64609	162.159.36.2	192.168.2.4
Dec 31, 2024 12:39:01.347055912 CET	64609	53	192.168.2.4	162.159.36.2
Dec 31, 2024 12:39:01.352705002 CET	53	64609	162.159.36.2	192.168.2.4
Dec 31, 2024 12:39:01.791224957 CET	64609	53	192.168.2.4	162.159.36.2
Dec 31, 2024 12:39:01.796315908 CET	53	64609	162.159.36.2	192.168.2.4
Dec 31, 2024 12:39:01.796410084 CET	64609	53	192.168.2.4	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 12:38:46.747734070 CET	53	63469	1.1.1.1	192.168.2.4
Dec 31, 2024 12:39:01.341568947 CET	53	56370	162.159.36.2	192.168.2.4
Dec 31, 2024 12:39:01.813594103 CET	61731	53	192.168.2.4	1.1.1.1
Dec 31, 2024 12:39:01.820765972 CET	53	61731	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 12:39:01.813594103 CET	192.168.2.4	1.1.1.1	0xf943	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 12:39:01.820765972 CET	1.1.1.1	192.168.2.4	0xf943	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Statistics

Click to jump to process

Memory Usage

• VNC-Viewer-7.13.1-Windows.exe
• msiexec.exe
• msiexec.exe
• msiexec.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• VNC-Viewer-7.13.1-Windows.exe
• msiexec.exe
• msiexec.exe
• msiexec.exe

Click to jump to process

System Behavior

Analysis Process: VNC-Viewer-7.13.1-Windows.exePID: 7288, Parent PID: 2580

Function Logs

General

Target ID:	0
Start time:	06:38:25
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VNC-Viewer-7.13.1-Windows.exe"
Imagebase:	0xac0000
File size:	12'649'048 bytes
MD5 hash:	3BF82674647A748A4036984C7C56521B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Written

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Key Value Queried

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Created

Process Queried

Process Terminated

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 7356, Parent PID: 7288

Function Logs

General

Target ID:	1
Start time:	06:38:30
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\vnc64.msi ProductLanguage=1033
Imagebase:	0x230000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Terminated

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Process Token Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 7416, Parent PID: 620

Function Logs

General

Target ID:	2
Start time:	06:38:30
Start date:	31/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff75ff70000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

File Activities

File Opened

File Written

File Read

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 7840, Parent PID: 7416

Function Logs

General

Target ID:	6
Start time:	06:38:52
Start date:	31/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\MsiExec.exe -Embedding 0E7A688FE1F05D12731371BA02BFD3BE E Global\MSI0000
Imagebase:	0x7ff75ff70000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Token Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VNC-Viewer-7.13.1-Windows.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\641d66.rbs

C:\Program Files\RealVNC\VNC Viewer\SetupCache\VNC-Viewer-7.13.1-Windows-64bit.msi

C:\Program Files\RealVNC\VNC Viewer\logmessages.dll

C:\Program Files\RealVNC\VNC Viewer\vncviewer.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealVNC\RealVNC Viewer.lnk

C:\Users\user\AppData\Local\Temp\vnc64.msi

C:\Windows\Installer\641d65.msi

C:\Windows\Installer\641d67.msi

C:\Windows\Installer\MSI1F97.tmp

C:\Windows\Installer\MSI2536.tmp

C:\Windows\Installer\SourceHash{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Installer\{B6BB74A9-9AA6-4B84-83BF-2EA9D038735F}\IconViewer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF00107B2572345DD8.TMP

C:\Windows\Temp\~DF0EA4C211AF8CFFE2.TMP

C:\Windows\Temp\~DF1013DAC2C898AD30.TMP

C:\Windows\Temp\~DF1A73933CECF53520.TMP

C:\Windows\Temp\~DF25EE24F5B94D517E.TMP

C:\Windows\Temp\~DF32DDACCC6613036C.TMP

C:\Windows\Temp\~DF7F37CD12B517E6BE.TMP

C:\Windows\Temp\~DF891DE6E9987873D0.TMP

C:\Windows\Temp\~DF96A0444AAE9B7BFD.TMP

Windows Analysis Report
VNC-Viewer-7.13.1-Windows.exe