File name:	qsearchsetup.exe
Full analysis:	https://app.any.run/tasks/1811dce1-f109-4fd0-946e-bec15df2c113
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 25, 2024, 18:19:46
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader stealer floxif backdoor spyware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	D4283CCDDF5EF5322BDE2804A8A158D5
SHA1:	B5CB9AE60C4EBEF505B90A617FA9CCB5B444D604
SHA256:	7545882C61855109A9A9D1E4FD7CADF09D73D5B70CF35999BB7EF4D32CA3A64C
SSDEEP:	98304:3A6x8oKKFA/50l0aiIA8cayZ22OVOjzY4k7YLNxtNJQRzFpkz4IAnjsSLjTV0uVs:3/ReL70NH7HZ1tgeuvnnzhGWmGdl

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:08:01 02:42:47+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	25088
InitializedDataSize:	118784
UninitializedDataSize:	1024
EntryPoint:	0x3312
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.0.1.15
ProductVersionNumber:	6.0.1.15
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Latvian
CharacterSet:	Unknown (04E9)
CompanyName:	Glarysoft Ltd
FileDescription:	Quick Search Installer
LegalCopyright:	Copyright (c) 2003 - 2024 Glarysoft Ltd
ProductName:	Quick Search
ProductVersion:	6.0.1.15


(PID) Process:	(7008) GUAssistComSvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\GUAssistComSvc.EXE
Operation:	write	Name:	AppID
Value: {0BCB705C-0F64-405B-8CB3-CDF41B796E19}
(PID) Process:	(7008) GUAssistComSvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{0BCB705C-0F64-405B-8CB3-CDF41B796E19}
Operation:	delete value	Name:	LocalService
Value:
(PID) Process:	(7008) GUAssistComSvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\TypeLib
Operation:	write	Name:	Version
Value: 1.0
(PID) Process:	(7008) GUAssistComSvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\TypeLib
Operation:	write	Name:	Version
Value: 1.0
(PID) Process:	(6560) qsearchsetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Glarysoft\QuickSearch
Operation:	write	Name:	Language
Value: english.lng
(PID) Process:	(6560) qsearchsetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Quick Search
Operation:	write	Name:	Macaddress
Value: C3A6935292C7B01EF79D8EA4BC80432B
(PID) Process:	(6560) qsearchsetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Quick Search
Operation:	write	Name:	Channel
Value: 10000
(PID) Process:	(6560) qsearchsetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Quick Search
Operation:	write	Name:	ProductID
Value: 60115051000
(PID) Process:	(6560) qsearchsetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Quick Search
Operation:	write	Name:	QuickLaunch
Value: true
(PID) Process:	(6560) qsearchsetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Quick Search
Operation:	write	Name:	DisplayName
Value: Quick Search 6.0.1.15

PID	Process	Filename		Type
6560	qsearchsetup.exe	C:\Users\admin\AppData\Local\Temp\nse613F.tmp\modern-header.bmp		image
		MD5:5B3A8449994261446421900CC91ED180	SHA256:E8331799398DD911ED33012FC50377CF0E1C357A4B13C12F8F51E1494A65901F
6560	qsearchsetup.exe	C:\Users\admin\AppData\Local\Temp\nse613F.tmp\QuickSearch.ini		binary
		MD5:BA01A1804891B0C5D71E53FB20C9718D	SHA256:8BDE6FE25B0D160600715CA5ACD35D9F35FDAC7D9D7573EA0BA75C97B275FE07
6560	qsearchsetup.exe	C:\Users\admin\AppData\Local\Temp\nse613F.tmp\nsExec.dll		executable
		MD5:09C2E27C626D6F33018B8A34D3D98CB6	SHA256:114C6941A8B489416C84563E94FD266EA5CAD2B518DB45CD977F1F9761E00CB1
6560	qsearchsetup.exe	C:\Program Files (x86)\Glarysoft\Quick Search\Register.dll		executable
		MD5:8CF3C1A7A19665B7F44C6827585C1BBF	SHA256:C553AAFDAD55FB150D471976412D327C721EA6D71B0B394B3D078C1D08E3AD74
6560	qsearchsetup.exe	C:\Users\admin\AppData\Local\Temp\nse613F.tmp\System.dll		executable
		MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1	SHA256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
6560	qsearchsetup.exe	C:\Users\admin\AppData\Local\Temp\nse613F.tmp\InstallOptions.dll		executable
		MD5:5F35212D7E90EE622B10BE39B09BD270	SHA256:31944B93E44301974D9C6F810D2DA792E34A53DCACD619A08CB0385AC59E513D
6560	qsearchsetup.exe	C:\Program Files (x86)\Glarysoft\Quick Search\sqlite3.dll		executable
		MD5:097627849B53FE238613246621CEF4F5	SHA256:6F62D50C4F309CD54A2667ED0ACD2CA7EE1D55715332B913B2AF9CECE868489F
6560	qsearchsetup.exe	C:\Program Files (x86)\Glarysoft\Quick Search\settings.ini		text
		MD5:56688B599335E8FA00E0479E9E9BB4A0	SHA256:AF4C3B39F0580A5B68E402A13DD0E0E506055126E76C327ADFFB6AB8404DFC97
6560	qsearchsetup.exe	C:\Program Files (x86)\Glarysoft\Quick Search\settings.dll		executable
		MD5:0DF9537D6CE4E823C4FA482EB6DC0151	SHA256:68CD782656F227263052D24197D70D54B55B48D534E06E464E6118EFBB6F92EC
6560	qsearchsetup.exe	C:\Program Files (x86)\Glarysoft\Quick Search\zlib1.dll		executable
		MD5:487859DCF99EE4F6957A4DB217DCFD45	SHA256:418826295E231DC5D3E480900D0D70BBFAB64188FD3A1731CB7A6184E2087621

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
372	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
372	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2796	stalonestatisticsinfo.exe	POST	200	52.24.207.204:80	http://analytics.glarysoft.com/api/v1/install	unknown	—	—	unknown
—	—	GET	401	13.107.6.158:443	https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox	unknown	—	—	unknown
4428	QuickSearch.exe	GET	302	188.114.96.3:80	http://go.glarysoft.com/g/t/modulecheckupdate/cn/10000/s/Glary%20Utilities/v/6.0.1.15/modulename/QuickSearch.exe/uid/BE12D4CC338B8648982C773EE78AA020/urlrand/30034	unknown	—	—	unknown
—	—	GET	—	104.126.37.186:443	https://edgeservices.bing.com/edgesvc/userstatus	unknown	—	—	unknown
—	—	GET	200	13.107.246.45:443	https://edge-mobile-static.azureedge.net/eccp/get?settenant=edge-config&setplatform=win&setmkt=en-US&setchannel=stable	unknown	binary	14.3 Kb	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	768 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
372	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	104.126.37.130:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
372	svchost.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
372	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146	whitelisted
www.bing.com	104.126.37.130 104.126.37.137 104.126.37.178 104.126.37.185 104.126.37.176 104.126.37.139 104.126.37.129 104.126.37.131 104.126.37.128 2.23.209.161 2.23.209.176 2.23.209.177 2.23.209.182 2.23.209.179 2.23.209.160 2.23.209.158 2.23.209.185 2.23.209.183 104.126.37.153 104.126.37.155 104.126.37.145 104.126.37.136 104.126.37.123 104.126.37.154 104.126.37.144	whitelisted
google.com	142.250.185.142	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
analytics.glarysoft.com	52.24.207.204	unknown
go.glarysoft.com	188.114.96.3 188.114.97.3	unknown
config.edge.skype.com	52.123.243.210 52.123.243.70 52.123.243.81 52.123.224.65 52.123.243.192 52.123.243.218 52.123.243.95 52.123.243.80	whitelisted
edge.microsoft.com	13.107.21.239 204.79.197.239	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted

PID	Process	Class	Message
2796	stalonestatisticsinfo.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
6544	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
6544	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)

General Info

qsearchsetup.exe

D4283CCDDF5EF5322BDE2804A8A158D5

B5CB9AE60C4EBEF505B90A617FA9CCB5B444D604

7545882C61855109A9A9D1E4FD7CADF09D73D5B70CF35999BB7EF4D32CA3A64C

98304:3A6x8oKKFA/50l0aiIA8cayZ22OVOjzY4k7YLNxtNJQRzFpkz4IAnjsSLjTV0uVs:3/ReL70NH7HZ1tgeuvnnzhGWmGdl

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts NET.EXE for service management

Actions looks like stealing of personal data

FLOXIF has been detected (YARA)

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Executable content was dropped or overwritten

The process drops C-runtime libraries

Process drops legitimate windows executable

Executes as Windows Service

Creates a software uninstall entry

Searches for installed software

Reads security settings of Internet Explorer

Reads Internet Explorer settings

Creates file in the systems drive root

Reads Microsoft Outlook installation path

Checks Windows Trust Settings

Process requests binary or script from the Internet

INFO

Create files in a temporary directory

Reads the computer name

Checks supported languages

Creates files in the program directory

The sample compiled with english language support

The sample compiled with chinese language support

Creates files or folders in the user directory

Checks proxy server information

Manual execution by a user

Application launched itself

Reads the machine GUID from the registry

Reads the software policy settings

Process checks computer location settings

Reads Environment values

The process uses the downloaded file

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files