File name:

qdsetup[1].exe

Full analysis: https://app.any.run/tasks/59f18efe-5590-4c54-b8eb-85b2b81991e4
Verdict: Malicious activity
Analysis date: May 30, 2024, 10:19:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2CAC072D3CDC902602910A60CAA9A645

SHA1:

A5B2C94D6C2EF0CF561FF04313BC15CF9C71F33D

SHA256:

65C24793280005FBA84434EFE309C60504F55728FB4C6EA626F61DB840A32D4B

SSDEEP:

12288:V6bQP5qpcrT4jswQZFcgXqAT0QozVBdPi+wTSfyf0uPBYIXC:0eEu/4AwxgXqs0QozVPi+wTSqf0qYIy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • qdsetup[1].exe (PID: 4088)

  • SUSPICIOUS

    • Reads the Internet Settings

      • qdsetup[1].exe (PID: 4088)

    • Process requests binary or script from the Internet

      • qdsetup[1].exe (PID: 4088)

    • Potential Corporate Privacy Violation

      • qdsetup[1].exe (PID: 4088)

    • Creates a software uninstall entry

      • qdsetup[1].exe (PID: 4088)

  • INFO

    • Disables trace logs

      • qdsetup[1].exe (PID: 4088)

    • Checks supported languages

      • qdsetup[1].exe (PID: 4088)
      • wmpnscfg.exe (PID: 2044)

    • Checks proxy server information

      • qdsetup[1].exe (PID: 4088)

    • Creates files in the program directory

      • qdsetup[1].exe (PID: 4088)

    • Reads the computer name

      • qdsetup[1].exe (PID: 4088)
      • wmpnscfg.exe (PID: 2044)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2044)
      • taskmgr.exe (PID: 1772)

    • Create files in a temporary directory

      • qdsetup[1].exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | ASPack compressed Win32 Executable (generic) (92.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 1351168
InitializedDataSize: 525824
UninitializedDataSize: -
EntryPoint: 0x1d2001
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.57.0.477
ProductVersionNumber: 5.57.0.477
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Russian
CharacterSet: Windows, Cyrillic
CompanyName: Intes Ltd.
FileDescription: Setup for QD Professional
FileVersion: 5.57.0.477
InternalName: qdsetup
LegalCopyright: © 2001-2012 Intres Ltd.
LegalTrademarks: QD Professional
OriginalFileName: qdsetup.exe
ProductName: qdsetup
ProductVersion: 5.57
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start qdsetup[1].exe wmpnscfg.exe no specs taskmgr.exe no specs qdsetup[1].exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1772"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2044"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3984"C:\Users\admin\AppData\Local\Temp\qdsetup[1].exe" C:\Users\admin\AppData\Local\Temp\qdsetup[1].exeexplorer.exe
User:
admin
Company:
Intes Ltd.
Integrity Level:
MEDIUM
Description:
Setup for QD Professional
Exit code:
3221226540
Version:
5.57.0.477
Modules
Images
c:\users\admin\appdata\local\temp\qdsetup[1].exe
c:\windows\system32\ntdll.dll
4088"C:\Users\admin\AppData\Local\Temp\qdsetup[1].exe" C:\Users\admin\AppData\Local\Temp\qdsetup[1].exe
explorer.exe
User:
admin
Company:
Intes Ltd.
Integrity Level:
HIGH
Description:
Setup for QD Professional
Version:
5.57.0.477
Modules
Images
c:\users\admin\appdata\local\temp\qdsetup[1].exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
1 736
Read events
1 691
Write events
45
Delete events
0

Modification events

(PID) Process:(4088) qdsetup[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Intes\QDPro
Operation:writeName:Access
Value:
Admin
(PID) Process:(4088) qdsetup[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Intes\QDPro
Operation:writeName:Executable
Value:
C:\Users\admin\AppData\Local\Temp
(PID) Process:(4088) qdsetup[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Intes\QDPro
Operation:writeName:CommonData
Value:
C:\Users\admin\AppData\Local\Temp\CommonData
(PID) Process:(4088) qdsetup[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Intes\QDPro
Operation:writeName:ProxyAddr
Value:
(PID) Process:(4088) qdsetup[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Intes\QDPro
Operation:writeName:ProxyPort
Value:
(PID) Process:(4088) qdsetup[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qdsetup[1]_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4088) qdsetup[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qdsetup[1]_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4088) qdsetup[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qdsetup[1]_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4088) qdsetup[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qdsetup[1]_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4088) qdsetup[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qdsetup[1]_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
0
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4088qdsetup[1].exeC:\Users\admin\AppData\Local\Temp\qdpro.logtext
MD5:09BF96DD0474D67F4A6AD578F9BB49E9
SHA256:74CCF62518E2D12427B585029CA73DD1E85B058C9414B5CA392E3E946CB997A4
4088qdsetup[1].exeC:\Intes\QDPro\Temp\qdsetup.verbinary
MD5:07518DDE80D454921A2C1F2DB89500F8
SHA256:345984150F55F76B95ABDDDA6DA2BD6446581880B1C8779761EE2B79CEFCE1DA
4088qdsetup[1].exeC:\Intes\QDPro\Temp\httpdbg.txttext
MD5:FA77320CFB3937CD30633A75FEE6548F
SHA256:9B7A61B2D7E99784969DC520D543BF7EB27433597B7EB1C2551DEA0C0E165B1C
4088qdsetup[1].exeC:\Intes\QDPro\Temp\cfgmain.intbinary
MD5:2728D5FD9CAB15E4F13D4BE7A5277AD1
SHA256:EE01B51832A4BE72ED93E4D096437487965FF844A869D0D2FC9DF25BBB70D41D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
18
DNS requests
1
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4088
qdsetup[1].exe
HEAD
200
176.111.63.15:80
http://download.qdpro.com.ua/data/qdwin/qdsetup.exe
unknown
unknown
4088
qdsetup[1].exe
GET
206
176.111.63.15:80
http://download.qdpro.com.ua/data/qdwin/qdsetup.exe
unknown
unknown
4088
qdsetup[1].exe
GET
176.111.63.15:80
http://download.qdpro.com.ua/data/qdwin/
unknown
unknown
4088
qdsetup[1].exe
GET
200
176.111.63.15:80
http://download.qdpro.com.ua/data/qdwin/update/
unknown
unknown
4088
qdsetup[1].exe
GET
206
176.111.63.15:80
http://download.qdpro.com.ua/data/qdwin/qdsetup.qdu
unknown
unknown
4088
qdsetup[1].exe
GET
206
176.111.63.15:80
http://download.qdpro.com.ua/data/qdwin/update/s01-ver.qdu
unknown
unknown
4088
qdsetup[1].exe
GET
206
176.111.63.15:80
http://download.qdpro.com.ua/data/qdwin/qdsetup.qdu
unknown
unknown
4088
qdsetup[1].exe
HEAD
200
176.111.63.15:80
http://download.qdpro.com.ua/data/qdwin/qdsetup.exe
unknown
unknown
4088
qdsetup[1].exe
GET
206
176.111.63.15:80
http://download.qdpro.com.ua/data/qdwin/qdsetup.qdu
unknown
unknown
4088
qdsetup[1].exe
GET
176.111.63.15:80
http://download.qdpro.com.ua/data/qdwin/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
4088
qdsetup[1].exe
176.111.63.15:80
download.qdpro.com.ua
United Networks of Ukraine Ltd
UA
unknown

DNS requests

Domain
IP
Reputation
download.qdpro.com.ua
  • 176.111.63.15
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
Potential Corporate Privacy Violation
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
Potential Corporate Privacy Violation
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
Potential Corporate Privacy Violation
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
4088
qdsetup[1].exe
Potential Corporate Privacy Violation
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
4088
qdsetup[1].exe
Potential Corporate Privacy Violation
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
Potential Corporate Privacy Violation
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
Potential Corporate Privacy Violation
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
Potential Corporate Privacy Violation
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
qdsetup[1].exe