File name:

Welcome.exe

Full analysis: https://app.any.run/tasks/a1a7f96c-0fa6-4386-b16e-e7e7c1abc73e
Verdict: Malicious activity
Analysis date: December 14, 2023, 15:39:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

400061294EDA2F1BBF4B5B7E9FFE318E

SHA1:

42C0E4791B1E65F6A323E65F8E941C3FB2201CB9

SHA256:

4BE8C479314B8DA275A1F1139B2BFF96AEC7CF8ADFC459EA9773081A83C72C6F

SSDEEP:

98304:AtfGrRCpfAboH7jf6KOn6u45mUcBSncugKsf98oLlAF6L0qb6wnT440ol3xe08Ct:B02

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Welcome.exe (PID: 3264)
      • Welcome.exe (PID: 2532)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • Welcome.exe (PID: 3264)
      • Welcome.exe (PID: 2532)

    • Starts itself from another location

      • Welcome.exe (PID: 3264)
      • Welcome.exe (PID: 2532)

  • INFO

    • Reads the computer name

      • Welcome.exe (PID: 3264)
      • icsys.icn.exe (PID: 1852)
      • Welcome.exe (PID: 2532)

    • Checks supported languages

      • Welcome.exe (PID: 3264)
      • welcome.exe  (PID: 2464)
      • icsys.icn.exe (PID: 1852)
      • Welcome.exe (PID: 2532)
      • welcome.exe  (PID: 2976)
      • icsys.icn.exe (PID: 600)

    • Create files in a temporary directory

      • Welcome.exe (PID: 3264)
      • icsys.icn.exe (PID: 1852)
      • icsys.icn.exe (PID: 600)
      • Welcome.exe (PID: 2532)

    • Creates files or folders in the user directory

      • Welcome.exe (PID: 3264)

    • Reads the machine GUID from the registry

      • Welcome.exe (PID: 3264)
      • icsys.icn.exe (PID: 1852)
      • icsys.icn.exe (PID: 600)
      • Welcome.exe (PID: 2532)

    • Manual execution by a user

      • Welcome.exe (PID: 2532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (46.5)
.exe | Win32 Executable MS Visual C++ (generic) (17.6)
.exe | Win64 Executable (generic) (15.6)
.exe | UPX compressed Win32 Executable (15.3)
.exe | Win32 Executable (generic) (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:06:14 21:01:16+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 176128
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x3670
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft
ProductName: Win
FileVersion: 1
ProductVersion: 1
InternalName: Win
OriginalFileName: Win.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start welcome.exe no specs welcome.exe  no specs icsys.icn.exe no specs welcome.exe no specs welcome.exe  no specs icsys.icn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
600C:\Users\admin\AppData\Local\icsys.icn.exeC:\Users\admin\AppData\Local\icsys.icn.exeWelcome.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1852C:\Users\admin\AppData\Local\icsys.icn.exeC:\Users\admin\AppData\Local\icsys.icn.exeWelcome.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2464c:\users\admin\desktop\welcome.exe  C:\Users\admin\Desktop\welcome.exe Welcome.exe
User:
admin
Company:
Ericksystem
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.1.0.0
Modules
Images
c:\users\admin\desktop\welcome.exe 
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2532"C:\Users\admin\Desktop\Welcome.exe" C:\Users\admin\Desktop\Welcome.exeexplorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\welcome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2976c:\users\admin\desktop\welcome.exe  C:\Users\admin\Desktop\welcome.exe Welcome.exe
User:
admin
Company:
Ericksystem
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.1.0.0
Modules
Images
c:\users\admin\desktop\welcome.exe 
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3264"C:\Users\admin\Desktop\Welcome.exe" C:\Users\admin\Desktop\Welcome.exeexplorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\welcome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
360
Read events
357
Write events
3
Delete events
0

Modification events

(PID) Process:(1852) icsys.icn.exeKey:HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(2532) Welcome.exeKey:HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
Executable files
3
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3264Welcome.exeC:\Users\admin\AppData\Local\icsys.icn.exeexecutable
MD5:F4CBC765444FFA470C34D8929F58D835
SHA256:3A142D5CF52D304F1572CC38953C366EC9E8DDEA439A1C632C3E737DB8E36050
3264Welcome.exeC:\users\admin\desktop\welcome.exe executable
MD5:7D32251B4B250A18D5C3F1AFBA0F461D
SHA256:DBF89010D96EF015066560C2E393DD071EF04F88C57DB3B6F7B0B8BEDEB2D9F0
3264Welcome.exeC:\Users\admin\AppData\Local\Temp\~DFD78CC8A2A08CAA6E.TMPbinary
MD5:B9C10DCC9C738313BC740C552FE1AD9B
SHA256:F6E24EF13F3877CA3B5FE65DDCC23E4AD28AA78E7D6F8F90C4B49856F3590558
2532Welcome.exeC:\users\admin\desktop\welcome.exe executable
MD5:7D32251B4B250A18D5C3F1AFBA0F461D
SHA256:DBF89010D96EF015066560C2E393DD071EF04F88C57DB3B6F7B0B8BEDEB2D9F0
600icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DFD9EE69FD2F0DC8A4.TMPbinary
MD5:5A4030D72B755AF3C10E5F553C699BF8
SHA256:EDED9379FC7166EA925C9AC3A33D67B8310A0653A4C3D398D00737152B7735BD
2532Welcome.exeC:\Users\admin\AppData\Local\Temp\~DFCCB7D76482BFC7D9.TMPbinary
MD5:5A4030D72B755AF3C10E5F553C699BF8
SHA256:EDED9379FC7166EA925C9AC3A33D67B8310A0653A4C3D398D00737152B7735BD
1852icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DF50BBD4B1106F46C2.TMPbinary
MD5:067962B8F6BEEA93F6A6011C008E9553
SHA256:873EDD2BBEFBC025DD32F81A2A957415307BA87A96AD93EB8F8CB1B267D7D241
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Welcome.exe