Malware analysis ConnectifyInstaller.exe Malicious activity

Add for printing

File name:	ConnectifyInstaller.exe
Full analysis:	https://app.any.run/tasks/7f48bd88-95d7-4d8f-bfa7-8be74e0e911a
Verdict:	Malicious activity
Analysis date:	January 30, 2025, 20:05:05
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	989B701CFD666960D48F9A3019FE1020
SHA1:	A9F316DD441F586CE7625136EFCB823F0E1DC885
SHA256:	0D7350DAB6CA9F9A575F53238732BAB013AA7912F6F31062BA448E2EF8A42A81
SSDEEP:	196608:jpN8uNvGR2PPBQGD/w4uqY0FCZyoKIJWXiY4Ugk1d7C6Uo26pOziO2jlt:jw5wxJ/wHCboKIJVV4mno2jiht

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - ConnectifyInstaller.exe (PID: 6824)
  - GlobalAtomTable.exe (PID: 7156)
  - ConnectifySupportCenter.exe (PID: 5404)
  - ConnectifyShutdown.exe (PID: 2076)
  - DriverSwitcher.exe (PID: 6220)
  - GlobalAtomTable.exe (PID: 3188)
  - GlobalAtomTable.exe (PID: 6264)
  - ConnectifyService.exe (PID: 2232)
  - Connectifyd.exe (PID: 4160)
  - ConnectifyShutdown.exe (PID: 444)
- Changes the autorun value in the registry
  - ConnectifyInstaller.exe (PID: 6824)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - ConnectifyInstaller.exe (PID: 6616)
  - ConnectifyInstaller.exe (PID: 6824)
  - ConnectifySupportCenter.exe (PID: 5404)
  - ConnectifyShutdown.exe (PID: 2076)
  - ConnectifyShutdown.exe (PID: 444)
- Malware-specific behavior (creating "System.dll" in Temp)
  - ConnectifyInstaller.exe (PID: 6616)
  - ConnectifyInstaller.exe (PID: 6824)
- Application launched itself
  - ConnectifyInstaller.exe (PID: 6616)
- Executable content was dropped or overwritten
  - ConnectifyInstaller.exe (PID: 6616)
  - ConnectifyInstaller.exe (PID: 6824)
  - DriverSwitcher.exe (PID: 6220)
  - snetcfg.exe (PID: 6096)
  - drvinst.exe (PID: 6588)
- The process creates files with name similar to system file names
  - ConnectifyInstaller.exe (PID: 6824)
- There is functionality for taking screenshot (YARA)
  - ConnectifyInstaller.exe (PID: 6616)
  - ConnectifyInstaller.exe (PID: 6824)
  - ConnectifySupportCenter.exe (PID: 5404)
- Reads Microsoft Outlook installation path
  - ConnectifyInstaller.exe (PID: 6824)
- Checks Windows Trust Settings
  - ConnectifySupportCenter.exe (PID: 5404)
  - ConnectifyShutdown.exe (PID: 2076)
  - ConnectifyShutdown.exe (PID: 444)
  - Connectifyd.exe (PID: 4160)
- Windows service management via SC.EXE
  - sc.exe (PID: 188)
  - sc.exe (PID: 7112)
  - sc.exe (PID: 4160)
  - sc.exe (PID: 420)
  - sc.exe (PID: 5236)
  - sc.exe (PID: 4864)
- Creates a software uninstall entry
  - ConnectifyInstaller.exe (PID: 6824)
- Suspicious use of NETSH.EXE
  - ConnectifyShutdown.exe (PID: 2076)
  - ConnectifyShutdown.exe (PID: 444)
- Drops a system driver (possible attempt to evade defenses)
  - DriverSwitcher.exe (PID: 6220)
  - snetcfg.exe (PID: 6096)
  - drvinst.exe (PID: 6588)
- Creates files in the driver directory
  - drvinst.exe (PID: 6588)
  - snetcfg.exe (PID: 6096)
- Creates a new Windows service
  - sc.exe (PID: 6540)
- Restarts service on failure
  - sc.exe (PID: 2012)
- Executes as Windows Service
  - ConnectifyService.exe (PID: 2232)
INFO
- Checks supported languages
  - ConnectifyInstaller.exe (PID: 6616)
  - ConnectifyInstaller.exe (PID: 6824)
  - GlobalAtomTable.exe (PID: 7156)
  - ConnectifySupportCenter.exe (PID: 5404)
  - DriverSwitcher.exe (PID: 6220)
  - snetcfg.exe (PID: 6096)
  - ConnectifyShutdown.exe (PID: 2076)
  - GlobalAtomTable.exe (PID: 6264)
  - GlobalAtomTable.exe (PID: 3188)
  - ConnectifyShutdown.exe (PID: 444)
  - ConnectifyService.exe (PID: 2232)
  - Connectifyd.exe (PID: 4160)
- The sample compiled with english language support
  - ConnectifyInstaller.exe (PID: 6616)
  - ConnectifyInstaller.exe (PID: 6824)
- Process checks computer location settings
  - ConnectifyInstaller.exe (PID: 6616)
- Reads the computer name
  - ConnectifyInstaller.exe (PID: 6616)
  - ConnectifyInstaller.exe (PID: 6824)
  - ConnectifySupportCenter.exe (PID: 5404)
  - DriverSwitcher.exe (PID: 6220)
  - ConnectifyShutdown.exe (PID: 2076)
  - drvinst.exe (PID: 6588)
  - ConnectifyService.exe (PID: 2232)
  - Connectifyd.exe (PID: 4160)
  - ConnectifyShutdown.exe (PID: 444)
- Create files in a temporary directory
  - ConnectifyInstaller.exe (PID: 6616)
  - ConnectifyInstaller.exe (PID: 6824)
  - DriverSwitcher.exe (PID: 6220)
  - snetcfg.exe (PID: 6096)
- UPX packer has been detected
  - ConnectifyInstaller.exe (PID: 6616)
- Reads the machine GUID from the registry
  - ConnectifySupportCenter.exe (PID: 5404)
  - ConnectifyShutdown.exe (PID: 2076)
  - drvinst.exe (PID: 6588)
  - ConnectifyShutdown.exe (PID: 444)
  - Connectifyd.exe (PID: 4160)
- Reads the software policy settings
  - ConnectifySupportCenter.exe (PID: 5404)
  - ConnectifyShutdown.exe (PID: 2076)
  - drvinst.exe (PID: 6588)
  - ConnectifyShutdown.exe (PID: 444)
- Creates files or folders in the user directory
  - ConnectifySupportCenter.exe (PID: 5404)
- Checks proxy server information
  - ConnectifySupportCenter.exe (PID: 5404)
- Creates files in the program directory
  - ConnectifyInstaller.exe (PID: 6824)
  - DriverSwitcher.exe (PID: 6220)
  - Connectifyd.exe (PID: 4160)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:09:25 21:56:47+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26624
InitializedDataSize:	141824
UninitializedDataSize:	2048
EntryPoint:	0x3640
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	23.0.1.40175
ProductVersionNumber:	23.0.1.40175
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Connectify
FileDescription:	Connectify Hotspot 23
FileVersion:	23.0.1.40175
LegalCopyright:	Copyright 2009-2023
ProductName:	Connectify Hotspot 23
ProductVersion:	23.0.1.40175

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

171

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

188

sc query Connectify

C:\Windows\SysWOW64\sc.exe

—

ConnectifyInstaller.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

1060

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

420

sc query wlansvc

C:\Windows\SysWOW64\sc.exe

—

ConnectifyInstaller.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

444

"C:\Program Files (x86)\Connectify\ConnectifyShutdown.exe" -noui -nosupport -noall -restartservice

C:\Program Files (x86)\Connectify\ConnectifyShutdown.exe

—

ConnectifyInstaller.exe

User:

admin

Company:

Connectify

Integrity Level:

HIGH

Description:

Connectify Shutdown App

Exit code:

Version:

23.0.1.40175

Modules

Images
c:\program files (x86)\connectify\connectifyshutdown.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

1016

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

snetcfg.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1580

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

GlobalAtomTable.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2012

sc failure Connectify actions= restart/10000/restart/30000/restart/300000 reset= 6000

C:\Windows\SysWOW64\sc.exe

—

ConnectifyInstaller.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2076

"C:\Users\admin\AppData\Local\Temp\Connectify\f8df1d88c6b54709f6e35ca62e7265d0\ConnectifyShutdown"

C:\Users\admin\AppData\Local\Temp\Connectify\f8df1d88c6b54709f6e35ca62e7265d0\ConnectifyShutdown.exe

—

ConnectifyInstaller.exe

User:

admin

Company:

Connectify

Integrity Level:

HIGH

Description:

Connectify Shutdown App

Exit code:

Version:

23.0.1.40175

Modules

Images
c:\users\admin\appdata\local\temp\connectify\f8df1d88c6b54709f6e35ca62e7265d0\connectifyshutdown.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

2168

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Connectifyd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2232

"C:\Program Files (x86)\Connectify\ConnectifyService.exe"

C:\Program Files (x86)\Connectify\ConnectifyService.exe

—

services.exe

User:

SYSTEM

Company:

Connectify

Integrity Level:

SYSTEM

Version:

23.0.1.40175

Modules

Images
c:\program files (x86)\connectify\connectifyservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

2280

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

20 536

Read events

20 465

Write events

Delete events

Modification events


(PID) Process:	(6824) ConnectifyInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Connectify-Installer
Value:
(PID) Process:	(6824) ConnectifyInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Connectify-Installer
Value: C:\Users\admin\AppData\Local\Temp\Connectify\runInstaller.bat
(PID) Process:	(6824) ConnectifyInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Connectify
Operation:	write	Name:	PolicyDate
Value: 20180510
(PID) Process:	(6824) ConnectifyInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Connectify
Operation:	write	Name:	InstallType
Value: False
(PID) Process:	(6824) ConnectifyInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Connectify Hotspot 2018
Value:
(PID) Process:	(6824) ConnectifyInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Connectify Hotspot 2019
Value:
(PID) Process:	(6824) ConnectifyInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Connectify Hotspot 2020
Value:
(PID) Process:	(6824) ConnectifyInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Connectify Hotspot 2021
Value:
(PID) Process:	(6824) ConnectifyInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Connectify
Value:
(PID) Process:	(6824) ConnectifyInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Connectify
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6616	ConnectifyInstaller.exe	C:\Users\admin\AppData\Local\Temp\nsh5C7D.tmp\modern-header.bmp		image
		MD5:F50B6CEE1BE90D50AF582E57528C7000	SHA256:E83DC2CA1239E62D979C02CA8A8B394573BF50C650AAF4D38799E97D618FECA4
6824	ConnectifyInstaller.exe	C:\Users\admin\AppData\Local\Temp\nst5FC9.tmp\UAC.dll		executable
		MD5:ADB29E6B186DAA765DC750128649B63D	SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
6824	ConnectifyInstaller.exe	C:\Users\admin\AppData\Local\Temp\Connectify\f8df1d88c6b54709f6e35ca62e7265d0\ConnectifyGopher.exe.config		xml
		MD5:2E8F098A4B39479ABDB3EDB8AFAFEE69	SHA256:70DC1E46CAE7122C8D6013B2CA798A76AA713B517DB2AFB01C162F0491E155B6
6824	ConnectifyInstaller.exe	C:\Users\admin\AppData\Local\Temp\Connectify\f8df1d88c6b54709f6e35ca62e7265d0\ConnectifyStartup.exe.config		xml
		MD5:5AE4200CAC6C4D2328D1792F18C80836	SHA256:352DD8D23456D42B9C69955CDFF1ED42064B30C203B4C965E41D32A32BC77C9C
6824	ConnectifyInstaller.exe	C:\Users\admin\AppData\Local\Temp\nst5FC9.tmp\modern-header.bmp		image
		MD5:F50B6CEE1BE90D50AF582E57528C7000	SHA256:E83DC2CA1239E62D979C02CA8A8B394573BF50C650AAF4D38799E97D618FECA4
6616	ConnectifyInstaller.exe	C:\Users\admin\AppData\Local\Temp\nsh5C7D.tmp\modern-wizard.bmp		image
		MD5:AE43624C14859150EDFB54B4024AFF46	SHA256:D5B56046F10941E6659277D46FFD4A0D327DB24BE3174D6A8E7AE0660DA874E9
6616	ConnectifyInstaller.exe	C:\Users\admin\AppData\Local\Temp\nsh5C7D.tmp\System.dll		executable
		MD5:CFF85C549D536F651D4FB8387F1976F2	SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
6616	ConnectifyInstaller.exe	C:\Users\admin\AppData\Local\Temp\nsh5C7D.tmp\UAC.dll		executable
		MD5:ADB29E6B186DAA765DC750128649B63D	SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
6824	ConnectifyInstaller.exe	C:\Users\admin\AppData\Local\Temp\nst5FC9.tmp\md5dll.dll		executable
		MD5:7059F133EA2316B9E7E39094A52A8C34	SHA256:32C3D36F38E7E8A8BAFD4A53663203EF24A10431BDA16AF9E353C7D5D108610F
6824	ConnectifyInstaller.exe	C:\Users\admin\AppData\Local\Temp\nst5FC9.tmp\modern-wizard.bmp		image
		MD5:AE43624C14859150EDFB54B4024AFF46	SHA256:D5B56046F10941E6659277D46FFD4A0D327DB24BE3174D6A8E7AE0660DA874E9

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	whitelisted
—	—	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	DE	binary	471 b	whitelisted
—	—	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	DE	binary	313 b	whitelisted
5404	ConnectifySupportCenter.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEA%2B4p0C5FY0DUUO8WdnwQCk%3D	DE	binary	314 b	whitelisted
5404	ConnectifySupportCenter.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSE67Nbq3jfQQg8yXEpbmqLTNn7XwQUm1%2BwNrqdBq4ZJ73AoCLAi4s4d%2B0CEAk0ptKUFMa%2B78vnwiYNf%2Fs%3D	DE	binary	312 b	whitelisted
6424	backgroundTaskHost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	DE	binary	471 b	whitelisted
5548	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	DE	binary	419 b	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	973 b	whitelisted
5548	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	DE	binary	408 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	104.126.37.144:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1176	svchost.exe	20.190.160.66:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1076	svchost.exe	23.35.238.131:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	172.217.18.14	whitelisted
www.bing.com	104.126.37.144 104.126.37.136 104.126.37.123 104.126.37.139 104.126.37.129 104.126.37.130 104.126.37.154 104.126.37.176	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
login.live.com	20.190.160.66 40.126.32.68 20.190.160.64 40.126.32.134 40.126.32.136 20.190.160.2 20.190.160.22 20.190.160.67	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
settings-win.data.microsoft.com	40.127.240.158 20.73.194.208	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

ConnectifyInstaller.exe

989B701CFD666960D48F9A3019FE1020

A9F316DD441F586CE7625136EFCB823F0E1DC885

0D7350DAB6CA9F9A575F53238732BAB013AA7912F6F31062BA448E2EF8A42A81

196608:jpN8uNvGR2PPBQGD/w4uqY0FCZyoKIJWXiY4Ugk1d7C6Uo26pOziO2jlt:jw5wxJ/wHCboKIJVV4mno2jiht

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Changes the autorun value in the registry

SUSPICIOUS

Reads security settings of Internet Explorer

Malware-specific behavior (creating "System.dll" in Temp)

Application launched itself

Executable content was dropped or overwritten

The process creates files with name similar to system file names

There is functionality for taking screenshot (YARA)

Reads Microsoft Outlook installation path

Checks Windows Trust Settings

Windows service management via SC.EXE

Creates a software uninstall entry

Suspicious use of NETSH.EXE

Drops a system driver (possible attempt to evade defenses)

Creates files in the driver directory

Creates a new Windows service

Restarts service on failure

Executes as Windows Service

INFO

Checks supported languages

The sample compiled with english language support

Process checks computer location settings

Reads the computer name

Create files in a temporary directory

UPX packer has been detected

Reads the machine GUID from the registry

Reads the software policy settings

Creates files or folders in the user directory

Checks proxy server information

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections