File name:

naticord-setup.exe

Full analysis: https://app.any.run/tasks/5eaa8c8f-a03a-465b-8a03-f7f800697d8e
Verdict: Malicious activity
Analysis date: May 22, 2024, 14:50:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0A9B602457147C49891DE6396BE3821D

SHA1:

5EE38684E071A6B70895D0D596F80947AB0D4153

SHA256:

A8F33BE867E4A17FFF47C6C8BF8C1832C0B95FD4B2538C16DF75374753139954

SSDEEP:

98304:m+cD4dn8ZTQZPosM0lnClSUyNIkWnXFopLQ3iUrex4vkY7mZNmijVPiZQQ:ykWYm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • naticord-setup.exe (PID: 3968)
      • naticord-setup.exe (PID: 1200)
      • naticord-setup.tmp (PID: 928)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • naticord-setup.exe (PID: 3968)
      • naticord-setup.exe (PID: 1200)
      • naticord-setup.tmp (PID: 928)

    • Reads the Windows owner or organization settings

      • naticord-setup.tmp (PID: 928)

  • INFO

    • Checks supported languages

      • naticord-setup.exe (PID: 3968)
      • naticord-setup.tmp (PID: 3984)
      • naticord-setup.exe (PID: 1200)
      • naticord-setup.tmp (PID: 928)
      • Naticord.exe (PID: 2028)

    • Create files in a temporary directory

      • naticord-setup.exe (PID: 3968)
      • naticord-setup.exe (PID: 1200)

    • Reads the computer name

      • naticord-setup.tmp (PID: 3984)
      • naticord-setup.tmp (PID: 928)
      • Naticord.exe (PID: 2028)

    • Creates files or folders in the user directory

      • naticord-setup.tmp (PID: 928)

    • Creates a software uninstall entry

      • naticord-setup.tmp (PID: 928)

    • Creates files in the program directory

      • naticord-setup.tmp (PID: 928)

    • Manual execution by a user

      • Naticord.exe (PID: 2028)
      • chrome.exe (PID: 1680)

    • Reads the machine GUID from the registry

      • Naticord.exe (PID: 2028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 89600
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: naticord Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: naticord
ProductVersion: 0.1.1 Beta 4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start naticord-setup.exe naticord-setup.tmp no specs naticord-setup.exe naticord-setup.tmp naticord.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
928"C:\Users\admin\AppData\Local\Temp\is-8DKHJ.tmp\naticord-setup.tmp" /SL5="$2013A,1270559,832512,C:\Users\admin\AppData\Local\Temp\naticord-setup.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\is-8DKHJ.tmp\naticord-setup.tmp
naticord-setup.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-8dkhj.tmp\naticord-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1200"C:\Users\admin\AppData\Local\Temp\naticord-setup.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\naticord-setup.exe
naticord-setup.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
naticord Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\naticord-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
1680"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"C:\Program Files\Google\Chrome\Application\chrome.exeexplorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
109.0.5414.120
2028"C:\Users\admin\AppData\Roaming\naticord\Naticord.exe" C:\Users\admin\AppData\Roaming\naticord\Naticord.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Naticord
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\naticord\naticord.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3968"C:\Users\admin\AppData\Local\Temp\naticord-setup.exe" C:\Users\admin\AppData\Local\Temp\naticord-setup.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
naticord Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\naticord-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3984"C:\Users\admin\AppData\Local\Temp\is-CKQ09.tmp\naticord-setup.tmp" /SL5="$20138,1270559,832512,C:\Users\admin\AppData\Local\Temp\naticord-setup.exe" C:\Users\admin\AppData\Local\Temp\is-CKQ09.tmp\naticord-setup.tmpnaticord-setup.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ckq09.tmp\naticord-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
5 044
Read events
5 014
Write events
24
Delete events
6

Modification events

(PID) Process:(928) naticord-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
A00300000EA4276957ACDA01
(PID) Process:(928) naticord-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
E88F6F5102885CB740671CA8986205CAC27DFFF923C24B0D0176CD5EA02F8DF9
(PID) Process:(928) naticord-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(928) naticord-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Roaming\naticord\Naticord.exe
(PID) Process:(928) naticord-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
1E1E5C4E9D1FEF0F9A2A94F78DDC9B0E882C7B1163C71443236996AD39D96E74
(PID) Process:(928) naticord-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\naticord_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.2
(PID) Process:(928) naticord-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\naticord_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Roaming\naticord
(PID) Process:(928) naticord-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\naticord_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Roaming\naticord\
(PID) Process:(928) naticord-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\naticord_is1
Operation:writeName:Inno Setup: Icon Group
Value:
naticord
(PID) Process:(928) naticord-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\naticord_is1
Operation:writeName:Inno Setup: User
Value:
admin
Executable files
10
Suspicious files
0
Text files
6
Unknown types
5

Dropped files

PID
Process
Filename
Type
928naticord-setup.tmpC:\Users\admin\AppData\Roaming\naticord\is-NIQ1I.tmppdb
MD5:13633615AAD5EF1C522C43B672317139
SHA256:5F3B39CF994F087F77758D129A450E323EDA2FC68A633EF4903CE2A2056414EF
928naticord-setup.tmpC:\Users\admin\AppData\Roaming\naticord\is-449LD.tmpexecutable
MD5:6C901446E95B532EAD315C190F7F99B4
SHA256:B592DA5A0208909BFB34D928DB47E671B3A1149A5FAD327B91181B8ADCC3B6BA
928naticord-setup.tmpC:\Users\admin\AppData\Roaming\naticord\unins000.exeexecutable
MD5:6C901446E95B532EAD315C190F7F99B4
SHA256:B592DA5A0208909BFB34D928DB47E671B3A1149A5FAD327B91181B8ADCC3B6BA
928naticord-setup.tmpC:\Users\admin\AppData\Roaming\naticord\is-QFI1N.tmpxml
MD5:47FCD701FC39687097E7311A75A772C0
SHA256:FCF95979205E1937078154BF501BAC57047E48BCA2E7FEEF2B425185545B483F
928naticord-setup.tmpC:\Users\admin\AppData\Roaming\naticord\Naticord.exe.configxml
MD5:47FCD701FC39687097E7311A75A772C0
SHA256:FCF95979205E1937078154BF501BAC57047E48BCA2E7FEEF2B425185545B483F
928naticord-setup.tmpC:\Users\admin\AppData\Roaming\naticord\is-VG5D2.tmpexecutable
MD5:4B75F93A0D8D2F39EDAF5568977CC7DC
SHA256:E6D1371D1AA774D155E9A4A89DA32B87FD4928650F4D76A1CF68C8C88283693C
928naticord-setup.tmpC:\Users\admin\AppData\Roaming\naticord\Naticord.pdbpdb
MD5:13633615AAD5EF1C522C43B672317139
SHA256:5F3B39CF994F087F77758D129A450E323EDA2FC68A633EF4903CE2A2056414EF
928naticord-setup.tmpC:\Users\admin\AppData\Roaming\naticord\Newtonsoft.Json.dllexecutable
MD5:4B75F93A0D8D2F39EDAF5568977CC7DC
SHA256:E6D1371D1AA774D155E9A4A89DA32B87FD4928650F4D76A1CF68C8C88283693C
3968naticord-setup.exeC:\Users\admin\AppData\Local\Temp\is-CKQ09.tmp\naticord-setup.tmpexecutable
MD5:84744B47461B352A11C2E55EBCB9C425
SHA256:4310C1FAAE8EC3C2FE387BC37063D04C3FEF8D81ED5D0AD38B41C56CA7F2317A
928naticord-setup.tmpC:\Users\admin\AppData\Roaming\naticord\is-NONUD.tmpexecutable
MD5:B5ABCC88494796B69BC15438366405A0
SHA256:80DC6CD5D96E6A33BF3814399848E8FBE48D10815F2AA2112195AF54C290A681
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
naticord-setup.exe