File name:

webex.exe

Full analysis: https://app.any.run/tasks/3dca60b2-73d5-4018-af9d-c5696d133089
Verdict: Suspicious activity
Analysis date: October 08, 2020, 20:43:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1E909905AEE2049EE1F363C7A3DDFF5B

SHA1:

9005FB43C770B1FDA6084E25229CC8021DE96CC6

SHA256:

998CDAA6A95932A15D167D9F08E33ADAB3840CF83EA23C1B13D7B95C38FB6C60

SSDEEP:

6144:Z9OrnZ7wCR3RSkU2TSITUROzbiuX+pJwIZe:ZYrZ7wk3RSkJTSI4ROSo+IIZe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • cws1.tmp (PID: 3144)

    • Loads dropped or rewritten executable

      • cws1.tmp (PID: 3144)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • webex.exe (PID: 4060)

    • Reads Internet Cache Settings

      • webex.exe (PID: 4060)
      • cws1.tmp (PID: 3144)

    • Executable content was dropped or overwritten

      • webex.exe (PID: 4060)
      • cws1.tmp (PID: 3144)

  • INFO

    • Reads settings of System Certificates

      • cws1.tmp (PID: 3144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:09:18 13:10:58+02:00
PEType: PE32
LinkerVersion: 14.16
CodeSize: 158208
InitializedDataSize: 95232
UninitializedDataSize: -
EntryPoint: 0x13bf6
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10051.9.2020.918
ProductVersionNumber: 10051.9.2020.918
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Cisco Webex LLC
FileDescription: Cisco Webex Meeting
FileVersion: 10051,9,2020,0918
InternalName: Webex
LegalCopyright: © 2019 Cisco and/or its affiliates. All rights reserved.
OriginalFileName: Webex.exe
ProductName: Cisco Webex Meeting
ProductVersion: 10051,9,2020,0918
GPCVersion: 3
UrlProtocolVersion: 1

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Sep-2020 11:10:58
Detected languages:
  • Chinese - PRC
  • Chinese - Taiwan
  • Czech - Czech Republic
  • Danish - Denmark
  • Dutch - Netherlands
  • English - United States
  • French - France
  • German - Germany
  • Hungarian - Hungary
  • Italian - Italy
  • Japanese - Japan
  • Korean - Korea
  • Polish - Poland
  • Portuguese - Brazil
  • Romanian - Romania
  • Russian - Russia
  • Spanish - Mexico
  • Spanish - Spain (International sort)
  • Swedish - Sweden
  • Turkish - Turkey
Debug artifacts:
  • O:\webex-windows-plugin\output\maps\Release\webex.pdb
CompanyName: Cisco Webex LLC
FileDescription: Cisco Webex Meeting
FileVersion: 10051,9,2020,0918
InternalName: Webex
LegalCopyright: © 2019 Cisco and/or its affiliates. All rights reserved.
OriginalFilename: Webex.exe
ProductName: Cisco Webex Meeting
ProductVersion: 10051,9,2020,0918
GPCVersion: 3
UrlProtocolVersion: 1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 18-Sep-2020 11:10:58
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000268CD
0x00026A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.48427
.rdata
0x00028000
0x00009690
0x00009800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.37659
.data
0x00032000
0x00001674
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.48612
.rsrc
0x00034000
0x0000A608
0x0000A800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.18371
.reloc
0x0003F000
0x00001AB8
0x00001C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.49775

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.06467
638
UNKNOWN
English - United States
RT_MANIFEST
2
3.8938
2440
UNKNOWN
English - United States
RT_ICON
3
4.82731
1128
UNKNOWN
English - United States
RT_ICON
4
2.41275
4136
UNKNOWN
English - United States
RT_ICON
5
2.78316
1064
UNKNOWN
English - United States
RT_ICON
7
3.01976
464
UNKNOWN
Spanish - Spain (International sort)
RT_STRING
8
3.1223
358
UNKNOWN
Spanish - Spain (International sort)
RT_STRING
101
1.79879
16
UNKNOWN
Spanish - Spain (International sort)
RT_ACCELERATOR
120
3.39176
392
UNKNOWN
Spanish - Spain (International sort)
RT_DIALOG
121
2.50016
48
UNKNOWN
English - United States
RT_GROUP_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
UxTheme.dll
VERSION.dll
WININET.dll
WINTRUST.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start webex.exe cws1.tmp

Process information

PID
CMD
Path
Indicators
Parent process
3144"C:\Users\admin\AppData\Local\Temp\cws1.tmp" /tfs /channel=webex_ciscowebexstart_sm_v1_4060_41C:\Users\admin\AppData\Local\Temp\cws1.tmp
webex.exe
User:
admin
Company:
Cisco Webex LLC
Integrity Level:
MEDIUM
Description:
Cisco Webex Meeting
Exit code:
0
Version:
10051,9,2020,0918
Modules
Images
c:\users\admin\appdata\local\temp\cws1.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imagehlp.dll
4060"C:\Users\admin\AppData\Local\Temp\webex.exe" C:\Users\admin\AppData\Local\Temp\webex.exe
explorer.exe
User:
admin
Company:
Cisco Webex LLC
Integrity Level:
MEDIUM
Description:
Cisco Webex Meeting
Exit code:
0
Version:
10051,9,2020,0918
Modules
Images
c:\users\admin\appdata\local\temp\webex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
Total events
252
Read events
212
Write events
40
Delete events
0

Modification events

(PID) Process:(4060) webex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(4060) webex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A5000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(4060) webex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(4060) webex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(4060) webex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4060) webex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4060) webex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4060) webex.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4060) webex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A6000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3144) cws1.tmpKey:HKEY_CURRENT_USER\Software\WebEx\MeetingManager
Operation:writeName:primarySite
Value:
hfhs.webex.com
Executable files
2
Suspicious files
4
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
4060webex.exeC:\Users\admin\AppData\Local\Temp\Cab7796.tmp
MD5:
SHA256:
4060webex.exeC:\Users\admin\AppData\Local\Temp\Tar7797.tmp
MD5:
SHA256:
3144cws1.tmpC:\Users\admin\AppData\Local\Temp\CabA86C.tmp
MD5:
SHA256:
3144cws1.tmpC:\Users\admin\AppData\Local\Temp\TarA86D.tmp
MD5:
SHA256:
3144cws1.tmpC:\Users\admin\AppData\Local\Temp\wbxA618.tmp
MD5:
SHA256:
3144cws1.tmpC:\Users\admin\AppData\Local\WebEx\WebEx\Meetings\atgpcdec.dll.tmp
MD5:
SHA256:
4060webex.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1D58A822390877B7FC21A87709600396der
MD5:41DDB2C93EB896A7FF58C7A1DF38970A
SHA256:394DC27DEE69EA6753589512364107242DFC839FA861A4217DC887FEA646661B
4060webex.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1D58A822390877B7FC21A87709600396binary
MD5:C46C052BC872CD7C9D96E2CCD3E734BD
SHA256:B2A4E6E480BA21230D904FD2DBA17048E3A82127478990740D40AEF29BECFB90
3144cws1.tmpC:\Users\admin\AppData\Local\Temp\wbxA619.tmpcompressed
MD5:9166771B8137AAEE86D1C55B9DBDF910
SHA256:68E5E6992378FA77192E5A2876351FC397624F0F1CFA602CABB83D22BBF77799
3144cws1.tmpC:\Users\admin\AppData\Local\WebEx\WebEx\Meetings\atgpcdec.dllexecutable
MD5:9501091B14422453492BE041D56949F8
SHA256:11C20051F4013552A1A2E5186D9E680508EADC8963D460AC5EBDE029E109E74A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
5
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4060
webex.exe
64.68.105.105:443
hfhs.webex.com
Cisco Webex LLC
US
suspicious
4060
webex.exe
34.249.165.103:80
ocsp.quovadisglobal.com
Amazon.com, Inc.
IE
unknown
4060
webex.exe
52.219.47.122:80
crl.quovadisglobal.com
DE
unknown
3144
cws1.tmp
104.84.56.166:443
akamaicdn.webex.com
Vodafone NZ Ltd.
US
unknown
3144
cws1.tmp
64.68.105.105:443
hfhs.webex.com
Cisco Webex LLC
US
suspicious

DNS requests

Domain
IP
Reputation
hfhs.webex.com
  • 64.68.105.105
unknown
ocsp.quovadisglobal.com
  • 34.249.165.103
whitelisted
crl.quovadisglobal.com
  • 52.219.47.122
shared
akamaicdn.webex.com
  • 104.84.56.166
whitelisted

Threats

No threats detected
Process
Message
cws1.tmp
WbxMapViewOfFile szMapFileName=WBX_TRACE_MAPVIEW_MAP_NAME_PRE_3144
cws1.tmp
WbxMapViewOfFile new lpBaseAddress=25886720
cws1.tmp
WbxMapViewOfFile
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
webex.exe