File name:

qcinst3.0.exe

Full analysis: https://app.any.run/tasks/e22c39cf-cb1f-43b7-b198-c071ed380657
Verdict: Malicious activity
Analysis date: March 22, 2024, 18:56:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5:

C8F493CE448519448BB4B321CFE9F88D

SHA1:

20DFCAF82A3D624FA1D69F0CAD9918A24BF3909C

SHA256:

3FE9D066251813E2518AAF76EB4E5C7221151DDC2ED67B74D8FBFA731A6E2075

SSDEEP:

98304:TChgDHX3hGzWO9XXh2/y55yXx9HA0a3UA2ejVgkinLeHsoLoaKb5z6atFf912O9z:jmx/DTRWnN2C0P8SMunO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • qcinst3.0.exe (PID: 2908)
      • _INS5176._MP (PID: 2064)
      • ewin32.exe (PID: 1740)
      • _INS5176._MP (PID: 2152)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • ntvdm.exe (PID: 3488)
      • _INS5176._MP (PID: 2064)

    • Process drops legitimate windows executable

      • _INS5176._MP (PID: 2064)
      • _INS5176._MP (PID: 2152)

    • Executable content was dropped or overwritten

      • _INS5176._MP (PID: 2064)
      • qcinst3.0.exe (PID: 2908)
      • ntvdm.exe (PID: 3488)
      • ewin32.exe (PID: 1740)
      • _INS5176._MP (PID: 2152)

    • Creates file in the systems drive root

      • ntvdm.exe (PID: 3488)

    • Creates a software uninstall entry

      • _INS5176._MP (PID: 2064)
      • _INS5176._MP (PID: 2152)

    • Searches for installed software

      • _INS5176._MP (PID: 2064)
      • _INS5176._MP (PID: 2152)

    • Creates or modifies Windows services

      • _INS5176._MP (PID: 2152)

    • Executes as Windows Service

      • endpoint.exe (PID: 1644)

    • Application launched itself

      • _INS5176._MP (PID: 2064)

  • INFO

    • Checks supported languages

      • qcinst3.0.exe (PID: 2908)
      • _INS5176._MP (PID: 2064)
      • ewin32.exe (PID: 1740)
      • _INS5176._MP (PID: 2152)
      • MEvercheck.exe (PID: 2156)
      • CleanepNT.exe (PID: 1992)
      • endpoint.exe (PID: 1644)
      • qcheck.exe (PID: 1556)

    • Reads the computer name

      • _INS5176._MP (PID: 2064)
      • _INS5176._MP (PID: 2152)
      • CleanepNT.exe (PID: 1992)
      • endpoint.exe (PID: 1644)
      • qcheck.exe (PID: 1556)

    • Drops the executable file immediately after the start

      • ntvdm.exe (PID: 3488)

    • Create files in a temporary directory

      • _INS5176._MP (PID: 2064)
      • qcinst3.0.exe (PID: 2908)
      • ntvdm.exe (PID: 3488)
      • _INS5176._MP (PID: 2152)

    • Creates files in the program directory

      • _INS5176._MP (PID: 2064)
      • _INS5176._MP (PID: 2152)

    • Creates files or folders in the user directory

      • qcheck.exe (PID: 1556)

    • Manual execution by a user

      • qcheck.exe (PID: 1556)

    • Application launched itself

      • msedge.exe (PID: 3800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ 4.x (53)
.exe | InstallShield setup (16.9)
.exe | Win32 Executable MS Visual C++ (generic) (12.2)
.exe | Win64 Executable (generic) (10.8)
.dll | Win32 Dynamic Link Library (generic) (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1998:03:26 14:31:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5
CodeSize: 69120
InitializedDataSize: 75776
UninitializedDataSize: -
EntryPoint: 0xc110
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.1.5.0
ProductVersionNumber: 2.1.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: InstallShield Software Corporation
FileDescription: PackageForTheWeb Stub
FileVersion: 2.02.001
InternalName: STUB.EXE
LegalCopyright: Copyright © 1996 InstallShield Software Corporation
OriginalFileName: STUB32.EXE
ProductName: PackageForTheWeb Stub
ProductVersion: 2.02.001
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
25
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start qcinst3.0.exe ntvdm.exe _ins5176._mp ewin32.exe _ins5176._mp mevercheck.exe no specs cleanepnt.exe no specs endpoint.exe no specs qcheck.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs qcinst3.0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
924"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1288,i,1225834183918054357,400532810778073595,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1556"C:\Program Files\Ixia\Qcheck\qcheck.exe" C:\Program Files\Ixia\Qcheck\qcheck.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\program files\ixia\qcheck\qcheck.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\ixia\qcheck\qchkcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
1644C:\PROGRA~1\Ixia\Endpoint\endpoint.exeC:\Program Files\Ixia\Endpoint\endpoint.exeservices.exe
User:
SYSTEM
Company:
Ixia
Integrity Level:
SYSTEM
Description:
Performance Endpoint
Exit code:
0
Version:
5.1
Modules
Images
c:\program files\ixia\endpoint\endpoint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\ixia\endpoint\ecomtcp.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
1696"C:\Users\admin\Desktop\qcinst3.0.exe" C:\Users\admin\Desktop\qcinst3.0.exeexplorer.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
MEDIUM
Description:
PackageForTheWeb Stub
Exit code:
3221226540
Version:
2.02.001
Modules
Images
c:\users\admin\desktop\qcinst3.0.exe
c:\windows\system32\ntdll.dll
1740C:\PROGRA~1\Ixia\Qcheck\Temp\ewin32.exeC:\Program Files\Ixia\Qcheck\Temp\ewin32.exe
_INS5176._MP
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\ixia\qcheck\temp\ewin32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1796"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1260 --field-trial-handle=1288,i,1225834183918054357,400532810778073595,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1820"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2888 --field-trial-handle=1288,i,1225834183918054357,400532810778073595,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1992CleanepNT.exeC:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\CleanepNT.exe_INS5176._MP
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\_istmp1.dir\cleanepnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2032"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3580 --field-trial-handle=1288,i,1225834183918054357,400532810778073595,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2052"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1556 --field-trial-handle=1288,i,1225834183918054357,400532810778073595,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
10 907
Read events
10 805
Write events
88
Delete events
14

Modification events

(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Dummy_Key_0
Operation:delete keyName:(default)
Value:
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:UninstallString
Value:
C:\Windows\IsUninst.exe -f"C:\Program Files\Ixia\Qcheck\DeIsL1.isu"
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:DisplayName
Value:
Ixia Qcheck
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Qcheck.exe
Operation:writeName:Path
Value:
C:\Program Files\Ixia\Qcheck
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:UninstallString
Value:
C:\Windows\IsUninst.exe -f"C:\Program Files\Ixia\Qcheck\DeIsL1.isu" -c"C:\Program Files\Ixia\Qcheck\QC_unst.dll"
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:Comments
Value:
Copyright © 1997-2004 IXIA
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:DisplayVersion
Value:
3.0.1.42
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:Version
Value:
3.0.1.42
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Ixia\Qcheck\qcheck.exe
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:HelpLink
Value:
http://www.ixiacom.com/support
Executable files
76
Suspicious files
45
Text files
150
Unknown types
21

Dropped files

PID
Process
Filename
Type
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\pftw1.pkg
MD5:
SHA256:
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\_user1.cab
MD5:
SHA256:
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\layout.binbinary
MD5:6135EBE150405CC4EE99731B5F6B58B0
SHA256:F5342BE23403E4CACD47BFADF8E4138596D8CD1E3C6EF9B646D56161DB86E46C
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\lang.dattext
MD5:D0754BCEFD6EE3EBC144BEAF9E193332
SHA256:ACA8915EF96667D8253D0BCCB11093861F8CCC199FED7509698B075E4A889DF6
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\plf2853.tmptext
MD5:B7A48BD3C990175B49570700EAC0FF04
SHA256:1A233CD321E2FE8B38208DA726A4FF2D22989CF5FB345798E90AE79446981AEB
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\setup.initext
MD5:0637BA269532C5089CF9D88C74FB8A34
SHA256:FC054FB8F5F4C13F164F1CC1CA7BCB04E8DB89F2BB69C8E3E8AED5BA113076D5
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\os.dattext
MD5:AF1D8D9435CB10FE2F4B4215EAF6BEC4
SHA256:2F148CB3D32AB70A315B5A853761C2702B6DEEF6FFAFF6AA76D513B945CE7EF7
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\setup.insbinary
MD5:C87CA19B9151AEE85B3CC0A7A9742FD7
SHA256:6C2B4B3480FAD0DA8B7F16741EF7617102CBFB15ADC9FDE86557F66383E92BB6
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\data1.cabcompressed
MD5:5CFD1A7F52B2904DEC9E6C275F92C7DF
SHA256:B1877F92348E35B912A6D6CB57E64A6913662872187D3CE484680D9B5F905FA8
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\setup.exeexecutable
MD5:38369BACC2BF3C731CCF2C9ED7FAC71C
SHA256:377596E717DC9B3D5714DDB5B71E598F4085103E1D05F8DD7E01115073D86798
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
12
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1556
qcheck.exe
GET
204.74.99.100:80
http://204.74.99.100:80/update/updcheck.txt
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
1556
qcheck.exe
204.74.99.100:80
www.qcheck.net
ULTRADNS
US
unknown
3800
msedge.exe
239.255.255.250:1900
unknown
924
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
924
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3800
msedge.exe
224.0.0.251:5353
unknown
924
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
www.qcheck.net
  • 204.74.99.100
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted

Threats

No threats detected
Process
Message
qcheck.exe
Tree instance created
qcheck.exe
TraceTest::Check
qcheck.exe
client block at 0x02667BC0, subtype 0, 104 bytes long.
qcheck.exe
{732}
qcheck.exe
strcore.cpp(118) :
qcheck.exe
Dumping objects ->
qcheck.exe
strcore.cpp(118) :
qcheck.exe
Data: < ; ; Repo> 01 00 00 00 3B 00 00 00 3B 00 00 00 52 65 70 6F
qcheck.exe
normal block at 0x02667C78, 73 bytes long.
qcheck.exe
client block at 0x0266BEB0, subtype 0, 64 bytes long.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
qcinst3.0.exe