File name:

qcinst3.0.exe

Full analysis: https://app.any.run/tasks/e22c39cf-cb1f-43b7-b198-c071ed380657
Verdict: Malicious activity
Analysis date: March 22, 2024, 18:56:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5:

C8F493CE448519448BB4B321CFE9F88D

SHA1:

20DFCAF82A3D624FA1D69F0CAD9918A24BF3909C

SHA256:

3FE9D066251813E2518AAF76EB4E5C7221151DDC2ED67B74D8FBFA731A6E2075

SSDEEP:

98304:TChgDHX3hGzWO9XXh2/y55yXx9HA0a3UA2ejVgkinLeHsoLoaKb5z6atFf912O9z:jmx/DTRWnN2C0P8SMunO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • qcinst3.0.exe (PID: 2908)
      • _INS5176._MP (PID: 2064)
      • ewin32.exe (PID: 1740)
      • _INS5176._MP (PID: 2152)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ntvdm.exe (PID: 3488)
      • qcinst3.0.exe (PID: 2908)
      • _INS5176._MP (PID: 2064)
      • ewin32.exe (PID: 1740)
      • _INS5176._MP (PID: 2152)

    • Creates file in the systems drive root

      • ntvdm.exe (PID: 3488)

    • Starts application with an unusual extension

      • ntvdm.exe (PID: 3488)
      • _INS5176._MP (PID: 2064)

    • Process drops legitimate windows executable

      • _INS5176._MP (PID: 2064)
      • _INS5176._MP (PID: 2152)

    • Searches for installed software

      • _INS5176._MP (PID: 2064)
      • _INS5176._MP (PID: 2152)

    • Creates a software uninstall entry

      • _INS5176._MP (PID: 2064)
      • _INS5176._MP (PID: 2152)

    • Application launched itself

      • _INS5176._MP (PID: 2064)

    • Creates or modifies Windows services

      • _INS5176._MP (PID: 2152)

    • Executes as Windows Service

      • endpoint.exe (PID: 1644)

  • INFO

    • Create files in a temporary directory

      • qcinst3.0.exe (PID: 2908)
      • ntvdm.exe (PID: 3488)
      • _INS5176._MP (PID: 2064)
      • _INS5176._MP (PID: 2152)

    • Checks supported languages

      • qcinst3.0.exe (PID: 2908)
      • _INS5176._MP (PID: 2064)
      • ewin32.exe (PID: 1740)
      • _INS5176._MP (PID: 2152)
      • MEvercheck.exe (PID: 2156)
      • CleanepNT.exe (PID: 1992)
      • endpoint.exe (PID: 1644)
      • qcheck.exe (PID: 1556)

    • Drops the executable file immediately after the start

      • ntvdm.exe (PID: 3488)

    • Reads the computer name

      • _INS5176._MP (PID: 2064)
      • _INS5176._MP (PID: 2152)
      • CleanepNT.exe (PID: 1992)
      • endpoint.exe (PID: 1644)
      • qcheck.exe (PID: 1556)

    • Creates files in the program directory

      • _INS5176._MP (PID: 2064)
      • _INS5176._MP (PID: 2152)

    • Creates files or folders in the user directory

      • qcheck.exe (PID: 1556)

    • Application launched itself

      • msedge.exe (PID: 3800)

    • Manual execution by a user

      • qcheck.exe (PID: 1556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ 4.x (53)
.exe | InstallShield setup (16.9)
.exe | Win32 Executable MS Visual C++ (generic) (12.2)
.exe | Win64 Executable (generic) (10.8)
.dll | Win32 Dynamic Link Library (generic) (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1998:03:26 14:31:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5
CodeSize: 69120
InitializedDataSize: 75776
UninitializedDataSize: -
EntryPoint: 0xc110
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.1.5.0
ProductVersionNumber: 2.1.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: InstallShield Software Corporation
FileDescription: PackageForTheWeb Stub
FileVersion: 2.02.001
InternalName: STUB.EXE
LegalCopyright: Copyright © 1996 InstallShield Software Corporation
OriginalFileName: STUB32.EXE
ProductName: PackageForTheWeb Stub
ProductVersion: 2.02.001
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
25
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start qcinst3.0.exe ntvdm.exe _ins5176._mp ewin32.exe _ins5176._mp mevercheck.exe no specs cleanepnt.exe no specs endpoint.exe no specs qcheck.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs qcinst3.0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
924"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1288,i,1225834183918054357,400532810778073595,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1556"C:\Program Files\Ixia\Qcheck\qcheck.exe" C:\Program Files\Ixia\Qcheck\qcheck.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\program files\ixia\qcheck\qcheck.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\ixia\qcheck\qchkcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
1644C:\PROGRA~1\Ixia\Endpoint\endpoint.exeC:\Program Files\Ixia\Endpoint\endpoint.exeservices.exe
User:
SYSTEM
Company:
Ixia
Integrity Level:
SYSTEM
Description:
Performance Endpoint
Exit code:
0
Version:
5.1
Modules
Images
c:\program files\ixia\endpoint\endpoint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\ixia\endpoint\ecomtcp.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
1696"C:\Users\admin\Desktop\qcinst3.0.exe" C:\Users\admin\Desktop\qcinst3.0.exeexplorer.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
MEDIUM
Description:
PackageForTheWeb Stub
Exit code:
3221226540
Version:
2.02.001
Modules
Images
c:\users\admin\desktop\qcinst3.0.exe
c:\windows\system32\ntdll.dll
1740C:\PROGRA~1\Ixia\Qcheck\Temp\ewin32.exeC:\Program Files\Ixia\Qcheck\Temp\ewin32.exe
_INS5176._MP
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\ixia\qcheck\temp\ewin32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1796"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1260 --field-trial-handle=1288,i,1225834183918054357,400532810778073595,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1820"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2888 --field-trial-handle=1288,i,1225834183918054357,400532810778073595,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1992CleanepNT.exeC:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\CleanepNT.exe_INS5176._MP
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\_istmp1.dir\cleanepnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2032"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3580 --field-trial-handle=1288,i,1225834183918054357,400532810778073595,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2052"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1556 --field-trial-handle=1288,i,1225834183918054357,400532810778073595,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
10 907
Read events
10 805
Write events
88
Delete events
14

Modification events

(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Dummy_Key_0
Operation:delete keyName:(default)
Value:
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:UninstallString
Value:
C:\Windows\IsUninst.exe -f"C:\Program Files\Ixia\Qcheck\DeIsL1.isu"
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:DisplayName
Value:
Ixia Qcheck
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Qcheck.exe
Operation:writeName:Path
Value:
C:\Program Files\Ixia\Qcheck
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:UninstallString
Value:
C:\Windows\IsUninst.exe -f"C:\Program Files\Ixia\Qcheck\DeIsL1.isu" -c"C:\Program Files\Ixia\Qcheck\QC_unst.dll"
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:Comments
Value:
Copyright © 1997-2004 IXIA
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:DisplayVersion
Value:
3.0.1.42
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:Version
Value:
3.0.1.42
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Ixia\Qcheck\qcheck.exe
(PID) Process:(2064) _INS5176._MPKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Qcheck
Operation:writeName:HelpLink
Value:
http://www.ixiacom.com/support
Executable files
76
Suspicious files
45
Text files
150
Unknown types
21

Dropped files

PID
Process
Filename
Type
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\pftw1.pkg
MD5:
SHA256:
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\_user1.cab
MD5:
SHA256:
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\_sys1.cabcompressed
MD5:86D977E286194817E5BBF4CA8571E50A
SHA256:89D62726BC0F55FE3D0F1B5E7FD69D03212C430A5A638859F374EAD2D15C5260
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\data1.cabcompressed
MD5:5CFD1A7F52B2904DEC9E6C275F92C7DF
SHA256:B1877F92348E35B912A6D6CB57E64A6913662872187D3CE484680D9B5F905FA8
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\os.dattext
MD5:AF1D8D9435CB10FE2F4B4215EAF6BEC4
SHA256:2F148CB3D32AB70A315B5A853761C2702B6DEEF6FFAFF6AA76D513B945CE7EF7
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\plf2853.tmptext
MD5:B7A48BD3C990175B49570700EAC0FF04
SHA256:1A233CD321E2FE8B38208DA726A4FF2D22989CF5FB345798E90AE79446981AEB
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\lang.dattext
MD5:D0754BCEFD6EE3EBC144BEAF9E193332
SHA256:ACA8915EF96667D8253D0BCCB11093861F8CCC199FED7509698B075E4A889DF6
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\setup.initext
MD5:0637BA269532C5089CF9D88C74FB8A34
SHA256:FC054FB8F5F4C13F164F1CC1CA7BCB04E8DB89F2BB69C8E3E8AED5BA113076D5
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\setup.lidtext
MD5:1B79748E93A541CC1590505B6C72828A
SHA256:708D29C649525882937031B3D73CC851B7B1BC30772EB4E0E2A71523908F2EB5
2908qcinst3.0.exeC:\Users\admin\AppData\Local\Temp\pft2865~tmp\setup.insbinary
MD5:C87CA19B9151AEE85B3CC0A7A9742FD7
SHA256:6C2B4B3480FAD0DA8B7F16741EF7617102CBFB15ADC9FDE86557F66383E92BB6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
12
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1556
qcheck.exe
GET
204.74.99.100:80
http://204.74.99.100:80/update/updcheck.txt
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
1556
qcheck.exe
204.74.99.100:80
www.qcheck.net
ULTRADNS
US
unknown
3800
msedge.exe
239.255.255.250:1900
unknown
924
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
924
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3800
msedge.exe
224.0.0.251:5353
unknown
924
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
www.qcheck.net
  • 204.74.99.100
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted

Threats

No threats detected
Process
Message
qcheck.exe
Tree instance created
qcheck.exe
TraceTest::Check
qcheck.exe
client block at 0x02667BC0, subtype 0, 104 bytes long.
qcheck.exe
{732}
qcheck.exe
strcore.cpp(118) :
qcheck.exe
Dumping objects ->
qcheck.exe
strcore.cpp(118) :
qcheck.exe
Data: < ; ; Repo> 01 00 00 00 3B 00 00 00 3B 00 00 00 52 65 70 6F
qcheck.exe
normal block at 0x02667C78, 73 bytes long.
qcheck.exe
client block at 0x0266BEB0, subtype 0, 64 bytes long.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
qcinst3.0.exe