File name:

celex.exe

Full analysis: https://app.any.run/tasks/3f9fdcad-bf5d-4b20-89e0-69790f3ce4a7
Verdict: Malicious activity
Analysis date: January 01, 2024, 00:57:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

3D05F35DD57D171EF57A37FD9E8498FC

SHA1:

C18418FE05AB38C0005ECBC0ED6BA10CACA174C8

SHA256:

070A26B9B519330DA249104467525BE63B1B23015D23C86B306D31465E79A024

SSDEEP:

98304:A9uJbdW4/yeU53U2LOCSKLe5683C3PMcRrK3q71EhAO8frCfx4dp0wJJSb9V2ZCS:AMXTicKk4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the BIOS version

      • celex.exe (PID: 5328)

    • Checks Windows Trust Settings

      • celex.exe (PID: 5328)

    • Reads security settings of Internet Explorer

      • celex.exe (PID: 5328)

    • Executes application which crashes

      • celex.exe (PID: 5328)

  • INFO

    • Process checks are UAC notifies on

      • celex.exe (PID: 5328)

    • Checks supported languages

      • celex.exe (PID: 5328)

    • Drops the executable file immediately after the start

      • celex.exe (PID: 5328)

    • Reads the computer name

      • celex.exe (PID: 5328)

    • Creates files or folders in the user directory

      • celex.exe (PID: 5328)
      • WerFault.exe (PID: 5084)

    • Checks proxy server information

      • celex.exe (PID: 5328)
      • WerFault.exe (PID: 5084)

    • Reads the machine GUID from the registry

      • celex.exe (PID: 5328)

    • Reads the software policy settings

      • celex.exe (PID: 5328)
      • WerFault.exe (PID: 5084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:12:09 20:13:03+01:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.38
CodeSize: 910848
InitializedDataSize: 468480
UninitializedDataSize: -
EntryPoint: 0x734058
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start celex.exe werfault.exe filecoauth.exe no specs celex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1096C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
5084C:\WINDOWS\system32\WerFault.exe -u -p 5328 -s 1972C:\Windows\System32\WerFault.exe
celex.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
5328"C:\Users\admin\Desktop\celex.exe" C:\Users\admin\Desktop\celex.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221226505
Modules
Images
c:\users\admin\desktop\celex.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
5460"C:\Users\admin\Desktop\celex.exe" C:\Users\admin\Desktop\celex.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\celex.exe
c:\windows\system32\ntdll.dll
Total events
7 832
Read events
7 816
Write events
13
Delete events
3

Modification events

(PID) Process:(5328) celex.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5328) celex.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5328) celex.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5328) celex.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5328) celex.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5328) celex.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5084) WerFault.exeKey:\REGISTRY\A\{81b0931c-35c0-129a-a38f-c30ad4d58ace}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(5084) WerFault.exeKey:\REGISTRY\A\{81b0931c-35c0-129a-a38f-c30ad4d58ace}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5084WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_celex.exe_2e3bc173aff9a52307ddbc0f2e664e37e45762b_ee191e17_f81471d4-77e6-40c9-a080-3a05d843eda5\Report.wer
MD5:
SHA256:
5084WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\celex.exe.5328.dmp
MD5:
SHA256:
5084WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC396.tmp.WERInternalMetadata.xmlxml
MD5:F89DE481FDEDC8284F3BC5C7F3827664
SHA256:4615037BCA4506C39EDAAA1A9966C5D08412C3AE84F5D7303856B9AD549D9D4A
5084WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC318.tmp.dmpbinary
MD5:5F0228DE11D0CC960B8F61AF7A3353D5
SHA256:8AFCEB412F0E0C954B0E2015EDA8624E567B334CE8A0A4BFD701EA563B93CD67
1096FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-01-01.0101.1096.1.odlbinary
MD5:5B86A9D9569F972990B82123EC7A4F32
SHA256:F7E1A90321C3F248FA3DE4B950A791EE0689D0FC872265FA00ED3B91ADC278EA
1096FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-01-01.0101.1096.1.aodlbinary
MD5:923BF0E545D9C37CA8874C8D6C4A30E6
SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
5084WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC3B6.tmp.xmlxml
MD5:C50DAC03367D15A27A17BED96235B579
SHA256:686E9CDFEC9F4CE111B4B5156328A1F98302DA078A91B910CA2B3FD07CB47647
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
21
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2908
svchost.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
unknown
unknown
4524
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.11 Kb
unknown
4524
SIHClient.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
binary
813 b
unknown
4524
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
binary
824 b
unknown
4524
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
binary
555 b
unknown
4524
SIHClient.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
4524
SIHClient.exe
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
unknown
unknown
4524
SIHClient.exe
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
unknown
unknown
4524
SIHClient.exe
GET
200
20.166.126.56:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5328
celex.exe
2.19.120.85:443
clientsettingscdn.roblox.com
Akamai International B.V.
DE
unknown
1676
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5612
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4188
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5084
WerFault.exe
20.189.173.22:443
umwatson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2908
svchost.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
2644
OfficeClickToRun.exe
13.89.178.27:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4524
SIHClient.exe
52.165.165.26:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4524
SIHClient.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
4524
SIHClient.exe
88.221.125.143:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
clientsettingscdn.roblox.com
  • 2.19.120.85
  • 2.19.120.73
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
umwatson.events.data.microsoft.com
  • 20.189.173.22
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
self.events.data.microsoft.com
  • 13.89.178.27
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
  • 40.68.123.157
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.125.143
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
celex.exe