File name:	dcsetup.exe
Full analysis:	https://app.any.run/tasks/9f72663c-f29c-4b82-9713-5c7e684b6162
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 24, 2024, 06:46:10
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader stealer floxif backdoor spyware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	C47F78D04E45B0554D5CF5051901B63A
SHA1:	A99C00A370CBA5C2DB6BFF2ECDCB7B10C86693DE
SHA256:	AD1E7916A6B215E17065F9E36C8D0E216407DDA78317EB394F1CB23E91DD9650
SSDEEP:	98304:IrMDNGz3zh3FrVRZTITd9unmwPqGwJXqzbbGdv24ug936cwoM0XIbJQvoNtjScoC:Rs1VHcoNK8k++7euvnnzhJWPGbw

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:08:01 02:42:47+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	25088
InitializedDataSize:	118784
UninitializedDataSize:	1024
EntryPoint:	0x3312
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.0.1.21
ProductVersionNumber:	6.0.1.21
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Latvian
CharacterSet:	Unknown (04E9)
CompanyName:	Glarysoft Ltd
FileDescription:	Glary Disk Cleaner Installer
LegalCopyright:	Copyright (c) 2003 - 2024 Glarysoft Ltd
ProductName:	Glary Disk Cleaner
ProductVersion:	6.0.1.21


(PID) Process:	(5872) dcsetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Disk Cleaner
Operation:	write	Name:	Channel
Value: 10000
(PID) Process:	(5872) dcsetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Disk Cleaner
Operation:	write	Name:	ProductID
Value: 60121021000
(PID) Process:	(2632) GUAssistComSvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\GUAssistComSvc.EXE
Operation:	write	Name:	AppID
Value: {0BCB705C-0F64-405B-8CB3-CDF41B796E19}
(PID) Process:	(2632) GUAssistComSvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{0BCB705C-0F64-405B-8CB3-CDF41B796E19}
Operation:	delete value	Name:	LocalService
Value:
(PID) Process:	(2632) GUAssistComSvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\TypeLib
Operation:	write	Name:	Version
Value: 1.0
(PID) Process:	(2632) GUAssistComSvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F10E0193-E389-4E51-BDD8-D3DAF5F63851}\TypeLib
Operation:	write	Name:	Version
Value: 1.0
(PID) Process:	(5872) dcsetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Glarysoft\Disk Cleaner
Operation:	write	Name:	Language
Value: english.lng
(PID) Process:	(5872) dcsetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Disk Cleaner
Operation:	write	Name:	Macaddress
Value: 4AF8D51F698C3C311473BFD3A35C64B2
(PID) Process:	(5568) stalonestatisticsinfo.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Disk Cleaner
Operation:	write	Name:	Systemversion
Value: 10.0.19045
(PID) Process:	(5568) stalonestatisticsinfo.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Disk Cleaner
Operation:	write	Name:	Syslanguage
Value: English

PID	Process	Filename		Type
5872	dcsetup.exe	C:\Users\admin\AppData\Local\Temp\nsw671B.tmp\modern-wizard.bmp		image
		MD5:5DF1DBCB7959F4C7301BFC7A187BD40E	SHA256:195516D3A434664DFAF86A02E1B2228BC2FD8C6DF08870B96567AEC82101FD47
5872	dcsetup.exe	C:\Program Files (x86)\Glarysoft\Glary Disk Cleaner\Config.dll		executable
		MD5:A45F72AF9493DC58BC103368CC272E3B	SHA256:255167AB1A6B78BE7289AACC389BD376B8B55A39D631201B7CC6C2F5440DC185
5872	dcsetup.exe	C:\Users\admin\AppData\Local\Temp\nsw671B.tmp\DiskCleaner.ini		binary
		MD5:EA2800B1A32FF7EDD36DA40B8DD7FB2D	SHA256:DBBD443A907C7B5D773BF0BFCAB95BABB31BFB468B6D05662FF298AEB8433C3C
5872	dcsetup.exe	C:\Program Files (x86)\Glarysoft\Glary Disk Cleaner\DiskCleaner.dll		executable
		MD5:86E80BA3AA4EFDA1199F421EE682F0B8	SHA256:3EFB29E48D5C9C283EF121EEB441046E33AB48F33D48C427FCE2167DC56D9F7C
5872	dcsetup.exe	C:\Program Files (x86)\Glarysoft\Glary Disk Cleaner\CrashReport.dll		executable
		MD5:9B856978A0406ECA5388F9252A9B546A	SHA256:E5C02CEDF1A15A72D96DA5D4CFD76C46C872A0D52BF4AF203AE7003945FF3CFE
5872	dcsetup.exe	C:\Program Files (x86)\Glarysoft\Glary Disk Cleaner\GUWndManager.dll		executable
		MD5:43DCAFF67A297DD05A64CABC07335A5B	SHA256:54D68151FDAA41B4FB8E9118F364A5EF5CC1726D900944DD04078A3E5C72719A
5872	dcsetup.exe	C:\Program Files (x86)\Glarysoft\Glary Disk Cleaner\languages.dll		executable
		MD5:9DF897886DC5D07F145898429F6E7E0D	SHA256:0733D1B23748F55456969B318B40302023AC57E9430B1831A31CB3D595F63099
5872	dcsetup.exe	C:\Program Files (x86)\Glarysoft\Glary Disk Cleaner\LockDll.dll		executable
		MD5:F021C4052853143778D1E0840C60C9D5	SHA256:1D99039F59664D15BCD9EE9ED92B64139F1A3D87E9D41BD727CB6BDB6A8900CC
5872	dcsetup.exe	C:\Program Files (x86)\Glarysoft\Glary Disk Cleaner\dbghelp.dll		executable
		MD5:74EDBB03DE3291FCF2094AF1FB363F1D	SHA256:DCA9F45EFED8EAB442B491AEBDA3E3CCE7F5F9FC5DE527D2DBDFD85A5BE85DFA
5872	dcsetup.exe	C:\Users\admin\AppData\Local\Temp\nsw671B.tmp\System.dll		executable
		MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1	SHA256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5580	svchost.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5568	stalonestatisticsinfo.exe	POST	200	52.24.207.204:80	http://analytics.glarysoft.com/api/v1/install	unknown	—	—	unknown
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5580	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	401	13.107.6.158:443	https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox	unknown	—	—	unknown
5968	DiskCleaner.exe	GET	302	188.114.97.3:80	http://go.glarysoft.com/g/t/modulecheckupdate/cn/10000/s/Glary%20Utilities/v/6.0.1.21/modulename/DiskCleaner.exe/uid/97E0D6C7E0FD8AB69CB8F95348F71F88/urlrand/5161	unknown	—	—	unknown
—	—	GET	200	188.114.96.3:443	https://www.glarysoft.com/update/module/update.ini?v=6.0.1.21&modulename=DiskCleaner.exe&uid=97E0D6C7E0FD8AB69CB8F95348F71F88&urlrand=5161&src=10000	unknown	text	3.20 Kb	whitelisted
—	—	POST	204	104.126.37.137:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=&bphint=2&soobedate=1504771245&fg=1	unknown	binary	768 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5580	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5580	svchost.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5580	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
analytics.glarysoft.com	52.24.207.204	unknown
www.bing.com	104.126.37.144 104.126.37.131 104.126.37.146 104.126.37.145 104.126.37.138 104.126.37.128 104.126.37.123 104.126.37.137 104.126.37.136 2.23.209.182 2.23.209.177 2.23.209.133 2.23.209.148 2.23.209.149 2.23.209.140 2.23.209.176 2.23.209.130 2.23.209.179	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
www.glarysoft.com	188.114.96.3 188.114.97.3	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
business.bing.com	13.107.6.158	whitelisted

PID	Process	Class	Message
5568	stalonestatisticsinfo.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
3488	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
3488	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)

General Info

dcsetup.exe

C47F78D04E45B0554D5CF5051901B63A

A99C00A370CBA5C2DB6BFF2ECDCB7B10C86693DE

AD1E7916A6B215E17065F9E36C8D0E216407DDA78317EB394F1CB23E91DD9650

98304:IrMDNGz3zh3FrVRZTITd9unmwPqGwJXqzbbGdv24ug936cwoM0XIbJQvoNtjScoC:Rs1VHcoNK8k++7euvnnzhJWPGbw

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Steals credentials from Web Browsers

Actions looks like stealing of personal data

FLOXIF has been detected (YARA)

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

The process drops C-runtime libraries

Executable content was dropped or overwritten

Process drops legitimate windows executable

Creates a software uninstall entry

Searches for installed software

Reads security settings of Internet Explorer

Creates file in the systems drive root

Checks Windows Trust Settings

Process requests binary or script from the Internet

INFO

Checks supported languages

Creates files in the program directory

The sample compiled with chinese language support

The sample compiled with english language support

Reads the computer name

Create files in a temporary directory

Checks proxy server information

Application launched itself

Manual execution by a user

Reads the software policy settings

Reads the machine GUID from the registry

Creates files or folders in the user directory

Drops encrypted VBS script (Microsoft Script Encoder)

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests