Malware analysis MIB Final QeX.exe Malicious activity

Add for printing

File name:	MIB Final QeX.exe
Full analysis:	https://app.any.run/tasks/5ab86dbb-ae4e-4510-a393-86437b309967
Verdict:	Malicious activity
Analysis date:	June 20, 2025, 07:07:30
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	qrcode
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:	A160B9DFFEF4A795DA4FA1D1E5C61D31
SHA1:	DCCE89FCA9F72A8A219457ADB658BC9394ACC6FE
SHA256:	C7ECBBD615D2237E6690637E31402607CC37D62EEFDABD4CDE8DF057CCBE76F0
SSDEEP:	98304:7M0F9+CBjQE4MU/wZagFP1F6lJ5nqfAR5jCVXr2KpAGZcWHcmugF7bjLUpmDlPf1:dP9CyYoLPUT1116UV5SgTsKAPnj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: off

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads the date of Windows installation
  - MIB Final QeX.exe (PID: 3976)
- Reads security settings of Internet Explorer
  - MIB Final QeX.exe (PID: 3976)
- Starts CMD.EXE for commands execution
  - MIB Final QeX.exe (PID: 3976)
- Executing commands from a ".bat" file
  - MIB Final QeX.exe (PID: 3976)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 6256)
INFO
- Checks supported languages
  - MIB Final QeX.exe (PID: 3976)
- Process checks computer location settings
  - MIB Final QeX.exe (PID: 3976)
- Reads the computer name
  - MIB Final QeX.exe (PID: 3976)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:05:12 10:17:07+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.33
CodeSize:	288768
InitializedDataSize:	210944
UninitializedDataSize:	-
EntryPoint:	0x32ee0
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

153

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

592

xcopy /Y "c:\ProAgent\Qex\Offline\*.*" "C:\ProTopas\Web\Offline\"* /E/H/K/S

C:\Windows\System32\xcopy.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Extended Copy Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\ulib.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll

2132

xcopy /Y "C:\ProAgent\QeX\assets\*.*" "C:\ProTopas\Web\assets\"* /E/H/K/S

C:\Windows\System32\xcopy.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Extended Copy Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll

2428

"C:\WINDOWS\regedit.exe" /s C:\ProAgent\QeX\LYNXCI.reg

C:\Windows\regedit.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Editor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2764

regedit /s C:\ProAgent\QeX\localCustom.reg

C:\Windows\regedit.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Editor

Exit code:

3221226540

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll

3476

regedit /s C:\ProAgent\QeX\LYNXCI.reg

C:\Windows\regedit.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Editor

Exit code:

3221226540

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll

3976

"C:\Users\admin\AppData\Local\Temp\MIB Final QeX.exe"

C:\Users\admin\AppData\Local\Temp\MIB Final QeX.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\mib final qex.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4236

xcopy /Y "C:\ProAgent\QeX\css\*.*" "C:\ProTopas\Web\css\"* /E/H/K/S

C:\Windows\System32\xcopy.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Extended Copy Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\ulib.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll

4520

"C:\WINDOWS\regedit.exe" /s C:\ProAgent\QeX\LYNXCI.reg

C:\Windows\regedit.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Editor

Exit code:

3221226540

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll

4808

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

5480

xcopy /Y "C:\ProAgent\QeX\localCustom.reg" "C:\ProTopas\"* /E/H/K/S

C:\Windows\System32\xcopy.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Extended Copy Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

3 829

Read events

888

Write events

2 941

Delete events

Modification events


(PID) Process:	(5904) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wincor Nixdorf\ProTopas\CurrentVersion\LYNXCI\SCREEN\010
Operation:	write	Name:	CONTENTS
Value: \0e060\1b[150z\0e061\1b[150z\0e062\1b[150z\0e065\1b[150z\0e066\1b[150z
(PID) Process:	(5904) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wincor Nixdorf\ProTopas\CurrentVersion\LYNXCI\SCREEN\010
Operation:	write	Name:	WEB_USE_HTML_DIALOG
Value: 1
(PID) Process:	(5904) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wincor Nixdorf\ProTopas\CurrentVersion\LYNXCI\SCREEN\c00
Operation:	write	Name:	CONTENTS
Value: \0c\1bP2017\1b\5c
(PID) Process:	(5904) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wincor Nixdorf\ProTopas\CurrentVersion\LYNXCI\SCREEN\c00
Operation:	write	Name:	WEB_USE_HTML_DIALOG
Value: 1
(PID) Process:	(5904) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wincor Nixdorf\ProTopas\CurrentVersion\LYNXCI\SCREEN\015
Operation:	write	Name:	CONTENTS
Value: \0c\0f@@\1bP215\1b\5c\1b[27m\1b[80m\0fGN
(PID) Process:	(5904) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wincor Nixdorf\ProTopas\CurrentVersion\LYNXCI\SCREEN\015
Operation:	write	Name:	WEB_USE_HTML_DIALOG
Value: 1
(PID) Process:	(5904) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wincor Nixdorf\ProTopas\CurrentVersion\LYNXCI\SCREEN\016
Operation:	write	Name:	CONTENTS
Value: \1b[00m\0c\0f@@\1bP216\1b\5c\1b[27m\1b[80m\0fGN
(PID) Process:	(5904) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wincor Nixdorf\ProTopas\CurrentVersion\LYNXCI\SCREEN\016
Operation:	write	Name:	WEB_USE_HTML_DIALOG
Value: 1
(PID) Process:	(5904) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wincor Nixdorf\ProTopas\CurrentVersion\LYNXCI\SCREEN\017
Operation:	write	Name:	CONTENTS
Value: \1b[00m\0c\0fDCPLEASE ENTER YOUR PIN AND\0fFC PRESS ENTER \1b[27m\0fHM
(PID) Process:	(5904) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wincor Nixdorf\ProTopas\CurrentVersion\LYNXCI\SCREEN\017
Operation:	write	Name:	WEB_USE_HTML_DIALOG
Value: 0

Add for printing

Executable files

Suspicious files

Text files

664

Unknown types

Dropped files

PID	Process	Filename		Type
3976	MIB Final QeX.exe	C:\ProAgent\Qex\WebexuseIE11.reg		text
		MD5:971F5EFF41E18F266B78B5811222CD32	SHA256:479ABEFFD92AE37D8A462F1E76F199E026D649B6787C5DCBB8AB5609D469CBC6
3976	MIB Final QeX.exe	C:\ProAgent\Qex\assets\mcb\img\backspace.png		image
		MD5:78A3A57C11DE277BF9791E6930577095	SHA256:C22545A4110251033109FB38341B31C3C01EE6D74BFF442CCB8807202A723168
3976	MIB Final QeX.exe	C:\ProAgent\Qex\assets\mcb\img\holder.png		image
		MD5:D61B5FF25AE58E9D8BFCC32F3B19A1AE	SHA256:516691DCF7BF060A4DC6D0A1E34EA40E001AAEDEE4D5607EDC70D8594F46BD19
3976	MIB Final QeX.exe	C:\ProAgent\Qex\assets\mcb\img\logoloading.gif		image
		MD5:A019DD61979671169A2EB94B115C8BA1	SHA256:6ADBF52014912EBBA0DB21E3F64C04DE73F786AA4FCEC6DD35F49C1E1F82DD1B
3976	MIB Final QeX.exe	C:\ProAgent\Qex\assets\mcb\img\note.png		image
		MD5:6191C097C6521C581422DA4E81506444	SHA256:D4D49E4FA55BB537A404EE6CF4961DCA971D0AA9E33600E0C1F6F068F7068463
3976	MIB Final QeX.exe	C:\ProAgent\Qex\assets\mcb\img\CardHOlder.png		image
		MD5:C068228CBDFB46E6A0C991E1E6E043FA	SHA256:F6BA9BA1E1C1964BDE51CD7066F4076D37AA04DF39054AC2DB90BEAC8017FD60
3976	MIB Final QeX.exe	C:\ProAgent\Qex\assets\mcb\img\Bg.png		image
		MD5:9C2673758E9D49128D9BC8FEFE988842	SHA256:EDC09D46421CCE17D618E2D95E309527FB1D4BA86A9D1A35CA6869F2B3769812
3976	MIB Final QeX.exe	C:\ProAgent\Qex\assets\mcb\img\blue-note.png		image
		MD5:9AF0466A3F8B85A65E0E22A79441A81A	SHA256:BF2A6FE3AB32E6A94A94CD2319ED6B1423F8FEEC8DD73541FD002B3C01C1BBFB
3976	MIB Final QeX.exe	C:\ProAgent\Qex\assets\mcb\png\backspace.png		image
		MD5:7C51DC9F0213DAD8F03F35ADC070F75B	SHA256:4CC6AF9213A8C3DC882493AF329ACDEEC7EE02A4D9B9FE724A755DF975123D52
3976	MIB Final QeX.exe	C:\ProAgent\Qex\assets\mcb\img\success.gif		image
		MD5:7F6010FF1DBF0708B7A2488AC6E2AEB8	SHA256:B13DA48BFAADE8E29AF6A00D7751C7C3A21CFDB53BF35C571BE3C141CDE8223A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

MIB Final QeX.exe

A160B9DFFEF4A795DA4FA1D1E5C61D31

DCCE89FCA9F72A8A219457ADB658BC9394ACC6FE

C7ECBBD615D2237E6690637E31402607CC37D62EEFDABD4CDE8DF057CCBE76F0

98304:7M0F9+CBjQE4MU/wZagFP1F6lJ5nqfAR5jCVXr2KpAGZcWHcmugF7bjLUpmDlPf1:dP9CyYoLPUT1116UV5SgTsKAPnj

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Uses REG/REGEDIT.EXE to modify registry

INFO

Checks supported languages

Process checks computer location settings

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings