File name:

webex (1).exe

Full analysis: https://app.any.run/tasks/8a6ebe9a-0d2b-40d5-afa2-07fe7245230b
Verdict: Malicious activity
Analysis date: December 19, 2023, 20:39:08
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

4BEC11DFBBBCD15DADCE0C0A1A2F5999

SHA1:

B064BAD795000799D5C3FF189AEBCAADEAF11C21

SHA256:

C8C6ED9AA5DA354BFE9D9582827685537966DF9E2DB779A55A9B00A08678C164

SSDEEP:

49152:H05zqEqngpN6Foh2xUTxxKRD5QeyfFRshTmnevk9i5LQrzFr9OrY/uEakEgVgM/Z:sqEqnk6yh2xSKRD1Iidme8Q5LWxr97G8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 2192)

  • SUSPICIOUS

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 2364)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 2192)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 2192)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 2192)

    • Reads the Internet Settings

      • webex (1).exe (PID: 1728)

    • Reads settings of System Certificates

      • webex (1).exe (PID: 1728)

  • INFO

    • Reads the computer name

      • webex (1).exe (PID: 1728)
      • msiexec.exe (PID: 2364)
      • msiexec.exe (PID: 4800)
      • msiexec.exe (PID: 2192)

    • Create files in a temporary directory

      • webex (1).exe (PID: 1728)

    • Checks supported languages

      • webex (1).exe (PID: 1728)
      • msiexec.exe (PID: 2364)
      • msiexec.exe (PID: 4800)
      • msiexec.exe (PID: 2192)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 2192)

    • Application launched itself

      • msiexec.exe (PID: 2192)

    • Checks proxy server information

      • webex (1).exe (PID: 1728)

    • Reads Environment values

      • msiexec.exe (PID: 4800)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 2192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:06 04:40:45+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.32
CodeSize: 1376256
InitializedDataSize: 53248
UninitializedDataSize: 2711552
EntryPoint: 0x3e56f0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.12.2.26612
ProductVersionNumber: 2.12.2.26612
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Unknown (1809)
CharacterSet: Unicode
CompanyName: Cisco Systems, Inc
FileDescription: Webex
FileVersion: 2.12.2.26612
InternalName: Webex
LegalCopyright: Copyright (C) 2022 Cisco Systems Inc.
OriginalFileName: -
ProductName: Webex
ProductVersion: 2.12.2.26612
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
106
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start webex (1).exe msiexec.exe no specs msiexec.exe msiexec.exe no specs taskkill.exe no specs conhost.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1404\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1728"C:\Users\admin\Desktop\webex (1).exe" C:\Users\admin\Desktop\webex (1).exe
explorer.exe
User:
admin
Company:
Cisco Systems, Inc
Integrity Level:
MEDIUM
Description:
Webex
Exit code:
0
Version:
2.12.2.26612
Modules
Images
c:\users\admin\desktop\webex (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
2192C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2200"C:\Windows\system32\\taskkill.exe" /F /IM CiscoCollabHost.exe /TC:\Windows\SysWOW64\taskkill.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
2364C:\Windows\syswow64\MsiExec.exe -Embedding F0167E1D954F3578A795B9BABA4AFE8CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
3780msiexec.exe /i "C:\Users\admin\AppData\Local\Temp\bea0f3b5-cccb-4587-986f-ceda2b1b6d05.msi" /quiet /norestart AUTOSTART_WITH_WINDOWS=falseC:\Windows\SysWOW64\msiexec.exewebex (1).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
4800C:\Windows\System32\MsiExec.exe -Embedding B6BCF4E347D6A5077C2383474CED35EAC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
15 152
Read events
15 139
Write events
4
Delete events
9

Modification events

(PID) Process:(2192) msiexec.exeKey:HKEY_USERS\S-1-5-21-166304369-59083888-3082702900-1001\Software\Cisco Spark Native
Operation:writeName:installed
Value:
1
(PID) Process:(2192) msiexec.exeKey:HKEY_USERS\S-1-5-21-166304369-59083888-3082702900-1001_Classes\Local Settings\MuiCache\48\52C64B7E
Operation:delete keyName:(default)
Value:
(PID) Process:(2192) msiexec.exeKey:HKEY_USERS\S-1-5-21-166304369-59083888-3082702900-1001_Classes\Local Settings\MuiCache\48
Operation:delete keyName:(default)
Value:
(PID) Process:(3780) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
51
(PID) Process:(2192) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:delete valueName:C:\Config.Msi\e34d9.rbs
Value:
31077051
(PID) Process:(2192) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:delete keyName:(default)
Value:
(PID) Process:(2192) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
Operation:delete keyName:(default)
Value:
(PID) Process:(2192) msiexec.exeKey:HKEY_USERS\S-1-5-21-166304369-59083888-3082702900-1001\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(2192) msiexec.exeKey:HKEY_USERS\S-1-5-21-166304369-59083888-3082702900-1001\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
8090C009AE47079820E43DFE94FB561AB51CA2C302C3C4FD1F91D91C56F48A29
(PID) Process:(2192) msiexec.exeKey:HKEY_USERS\S-1-5-21-166304369-59083888-3082702900-1001\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
90080000C21F0374BB32DA01
Executable files
6
Suspicious files
22
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2192msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:643D03726EEB8FAF1EA28E87E7B0045F
SHA256:3E884E5C1A8BA93F204B4A1629F0659312429FAD61EFEE4B87DE6654DAE5EB8E
2192msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_18042D51F9AD69DAFE253165733E264Ebinary
MD5:0912F76BB73C69CBD130B0CB9BB110C6
SHA256:2A4848913BC5066363663CE25642A54380E46125C22B13CB59D65B324D31312B
2192msiexec.exeC:\Windows\Installer\MSI36FB.tmpexecutable
MD5:A3AE5D86ECF38DB9427359EA37A5F646
SHA256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
1728webex (1).exeC:\Users\admin\AppData\Local\Temp\bea0f3b5-cccb-4587-986f-ceda2b1b6d05.msiexecutable
MD5:83FC39D652D6685E7B59579A94C1BB48
SHA256:F6850CFA06F6FF9FDD8AFA27CF2BACF45C61A43680400A73B4190E60DACA898C
2192msiexec.exeC:\Windows\Installer\MSI3A47.tmpbinary
MD5:A1721C7871EC48FEE9A626FB67250D53
SHA256:2CF6D7310B4F39B96A9F789D9A975628CFF3F174584522B28BF4DEF0A1D15D24
2192msiexec.exeC:\Windows\TEMP\~DFB05CBE42FD353B1D.TMPbinary
MD5:324841FD547D34883EB2F23E04D20429
SHA256:B3BC91CAFFFCDC3353AAD0EEE91E035A36B797F98D86F3FE000CD8AA2BD500F6
2192msiexec.exeC:\Windows\Installer\e34d7.msiexecutable
MD5:83FC39D652D6685E7B59579A94C1BB48
SHA256:F6850CFA06F6FF9FDD8AFA27CF2BACF45C61A43680400A73B4190E60DACA898C
2192msiexec.exeC:\Windows\Installer\MSI368C.tmpexecutable
MD5:A3AE5D86ECF38DB9427359EA37A5F646
SHA256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
2192msiexec.exeC:\Users\admin\AppData\Local\Programs\Cisco Spark\CiscoCollabHost.exeexecutable
MD5:EAA92AA743D5FC7D12116E3D7ED27985
SHA256:93A4926F6ECC6DE2FB60F28B9CFE1BE6BA9BACAA141E7DA13B29725A92EA9946
2192msiexec.exeC:\Windows\TEMP\~DF26580DD7E00C6005.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
9
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2192
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAa0%2FGwHJUJ0q%2FupX4j4rA4%3D
unknown
binary
727 b
unknown
804
smartscreen.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a8be6b76ed42b984
unknown
compressed
4.66 Kb
unknown
2192
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
binary
727 b
unknown
1412
svchost.exe
GET
200
2.21.20.140:80
http://www.msftconnecttest.com/connecttest.txt
unknown
text
22 b
unknown
804
smartscreen.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
binary
471 b
unknown
3752
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
svchost.exe
23.35.236.109:443
AKAMAI-AS
DE
unknown
4588
svchost.exe
239.255.255.250:1900
whitelisted
804
smartscreen.exe
20.31.251.109:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
804
smartscreen.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1728
webex (1).exe
170.72.245.124:443
client-upgrade-a.wbx2.com
US
unknown
804
smartscreen.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1732
OfficeC2RClient.exe
52.109.32.97:443
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
6108
OfficeC2RClient.exe
52.109.32.97:443
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
2864
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1728
webex (1).exe
143.204.98.51:443
binaries.webex.com
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
checkappexec.microsoft.com
  • 20.31.251.109
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
client-upgrade-a.wbx2.com
  • 170.72.245.124
  • 170.72.245.220
  • 170.72.245.169
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted
binaries.webex.com
  • 143.204.98.51
  • 143.204.98.46
  • 143.204.98.48
  • 143.204.98.26
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.74
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.134
  • 40.126.32.136
whitelisted
fs.microsoft.com
  • 2.19.85.159
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.109.89.117
whitelisted

Threats

PID
Process
Class
Message
1412
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
webex (1).exe