File name:

FPRTSetpup.exe

Full analysis: https://app.any.run/tasks/b7eaf715-91d9-49f5-adaa-8330aba0537d
Verdict: Malicious activity
Analysis date: May 29, 2024, 05:51:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

EED1114DE37304092113C8B88A8840DE

SHA1:

6D7E10CD67CFF96D16B0E01C69FE3620CFDED0B1

SHA256:

2EC964E818A29F78938D3BA5F4086C930EEFDBB585140BD1B3E12369D1B787BB

SSDEEP:

98304:pggQ23Bsqz7TXz015keyFbZUiTBi3Y7VOubzQN5WTkW+ZRJpi8HRETsPldlY2Jfg:h/6WAUS/VbkTD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • FPRTSetpup.exe (PID: 4084)

  • SUSPICIOUS

    • Reads the BIOS version

      • nos_launcher.exe (PID: 2104)

    • Executable content was dropped or overwritten

      • FPRTSetpup.exe (PID: 4084)

    • Reads the Internet Settings

      • nos_launcher.exe (PID: 2104)
      • TrustedSiteCtrl_S.exe (PID: 1592)

    • Reads security settings of Internet Explorer

      • nos_launcher.exe (PID: 2104)
      • TrustedSiteCtrl_S.exe (PID: 1592)

    • Checks Windows Trust Settings

      • nos_launcher.exe (PID: 2104)

    • Changes internet zones settings

      • TrustedSiteCtrl_S.exe (PID: 1592)

    • Creates a software uninstall entry

      • FPRTSetpup.exe (PID: 4084)

    • Reads settings of System Certificates

      • nos_launcher.exe (PID: 2104)

  • INFO

    • Checks supported languages

      • FPRTSetpup.exe (PID: 4084)
      • nos_launcher.exe (PID: 2104)
      • wmpnscfg.exe (PID: 764)
      • TrustedSiteCtrl_S.exe (PID: 1592)

    • Reads the computer name

      • FPRTSetpup.exe (PID: 4084)
      • nos_launcher.exe (PID: 2104)
      • TrustedSiteCtrl_S.exe (PID: 1592)
      • wmpnscfg.exe (PID: 764)

    • Create files in a temporary directory

      • FPRTSetpup.exe (PID: 4084)

    • Creates files in the program directory

      • FPRTSetpup.exe (PID: 4084)

    • Reads Environment values

      • nos_launcher.exe (PID: 2104)

    • Reads product name

      • nos_launcher.exe (PID: 2104)

    • Creates files or folders in the user directory

      • nos_launcher.exe (PID: 2104)

    • Checks proxy server information

      • nos_launcher.exe (PID: 2104)

    • Reads the machine GUID from the registry

      • nos_launcher.exe (PID: 2104)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 764)

    • Reads the software policy settings

      • nos_launcher.exe (PID: 2104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 22:50:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 119808
UninitializedDataSize: 1024
EntryPoint: 0x323c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.1.1
ProductVersionNumber: 1.0.1.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Korea (Shift - KSC 5601)
CompanyName: 인터넷등기소
FileVersion: 1.0.1.1
LegalCopyright: 인터넷등기소
ProductName: FPRTSetup
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fprtsetpup.exe nos_launcher.exe wmpnscfg.exe no specs trustedsitectrl_s.exe no specs certutil.exe no specs fprtsetpup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
764"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1592"C:\Program Files\MarkAny\maepscourt\TrustedSiteCtrl_S.exe"C:\Program Files\MarkAny\maepscourt\TrustedSiteCtrl_S.exeFPRTSetpup.exe
User:
admin
Company:
iros
Integrity Level:
HIGH
Description:
TrustedSiteCtrl 응용 프로그램
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\program files\markany\maepscourt\trustedsitectrl_s.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv
1620"certutil" -enterprise -f -v -addstore "Root" "C:\Program Files\MarkAny\maepscourt\Code_RootCA.cer"C:\Windows\System32\certutil.exeFPRTSetpup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7601.18151 (win7sp1_gdr.130512-1533)
Modules
Images
c:\windows\system32\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\certcli.dll
c:\windows\system32\atl.dll
2104"C:\Program Files\MarkAny\maepscourt\nos_launcher.exe"C:\Program Files\MarkAny\maepscourt\nos_launcher.exe
FPRTSetpup.exe
User:
admin
Company:
INCA Internet Co., Ltd.
Integrity Level:
HIGH
Description:
nProtect Online Security Downloader
Exit code:
2
Version:
2017, 4, 4, 1
Modules
Images
c:\program files\markany\maepscourt\nos_launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3972"C:\Users\admin\AppData\Local\Temp\FPRTSetpup.exe" C:\Users\admin\AppData\Local\Temp\FPRTSetpup.exeexplorer.exe
User:
admin
Company:
인터넷등기소
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.0.1.1
Modules
Images
c:\users\admin\appdata\local\temp\fprtsetpup.exe
c:\windows\system32\ntdll.dll
4084"C:\Users\admin\AppData\Local\Temp\FPRTSetpup.exe" C:\Users\admin\AppData\Local\Temp\FPRTSetpup.exe
explorer.exe
User:
admin
Company:
인터넷등기소
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.1.1
Modules
Images
c:\users\admin\appdata\local\temp\fprtsetpup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
6 148
Read events
6 070
Write events
68
Delete events
10

Modification events

(PID) Process:(4084) FPRTSetpup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\fprtfixdatexctrl
Operation:writeName:URL Protocol
Value:
(PID) Process:(2104) nos_launcher.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\INCAInternet
Operation:writeName:retDown
Value:
-1
(PID) Process:(2104) nos_launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2104) nos_launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2104) nos_launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2104) nos_launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2104) nos_launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(2104) nos_launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(2104) nos_launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(2104) nos_launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
Executable files
7
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4084FPRTSetpup.exeC:\Users\admin\AppData\Local\Temp\nsu43F1.tmp
MD5:
SHA256:
4084FPRTSetpup.exeC:\Program Files\MarkAny\maepscourt\nosapp.dllexecutable
MD5:149EF0AB426ED3C979E6E9FE9404520D
SHA256:19E2DD4504E8A797D3EEB3DA6361054170DB55898D5735298CBD29EF736915F2
4084FPRTSetpup.exeC:\Program Files\MarkAny\maepscourt\FPRTFixDateXCtrl.xghbinary
MD5:A0561FD7DCA0955723EE28EAF40ED6BA
SHA256:C896397B75E8C9B4BC8C0FC70A164EEF790D42452FED59452EF223BB20D0534F
4084FPRTSetpup.exeC:\Program Files\MarkAny\maepscourt\court.bmpimage
MD5:5FB66CCA65F15C1F34DFD19D267E4665
SHA256:3358D00F686E142DD332454066F277247BFEB290891228C62BB5FF1B4A732927
4084FPRTSetpup.exeC:\Program Files\MarkAny\maepscourt\FPRTFixDateXCtrl.exeexecutable
MD5:6BD85A8D5832B3036CFFE87ADCA02268
SHA256:2E1C0D8BF0B903F84E7D1F87D4B4986F5A729AE0BF77E2984FF69C08AE6EE5F2
4084FPRTSetpup.exeC:\Program Files\MarkAny\maepscourt\TrustedSiteCtrl_S.exeexecutable
MD5:7CF7B08945EF84E47DB1B78F3106AC74
SHA256:28892FB08803712FC35F089E0F50A3E69485677B4B2D5A781B3C0A6ED250ECB3
4084FPRTSetpup.exeC:\Program Files\MarkAny\maepscourt\nos_launcher.exeexecutable
MD5:C2ED17DE87482F308698C32E60477400
SHA256:004D4C0465EE24FBCE6A735B791BDB485B6AC79A317A2F44B93410E8517E85D9
4084FPRTSetpup.exeC:\Program Files\MarkAny\maepscourt\nos_param.datbinary
MD5:D2DEEE78DD437C77232BEE973ACA21B9
SHA256:CEC28B803F34D864662BDBA27F526F951515F84EA2DC421A46A6DD3546A37B88
4084FPRTSetpup.exeC:\Program Files\MarkAny\maepscourt\IsuNoPrinterlist.exeexecutable
MD5:F3ED613C3E258505C52EC9BD9F384792
SHA256:25E3FC2A32837D62144A6092B3AC53B25E314B95B77E30FD9175AAA6C87082FA
4084FPRTSetpup.exeC:\Users\admin\AppData\Local\Temp\nsa4460.tmp\FindProcDLL.dllexecutable
MD5:8614C450637267AFACAD1645E23BA24A
SHA256:0FA04F06A6DE18D316832086891E9C23AE606D7784D5D5676385839B21CA2758
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
2104
nos_launcher.exe
61.111.25.113:443
supdate.nprotect.net
LG DACOM Corporation
KR
unknown

DNS requests

Domain
IP
Reputation
supdate.nprotect.net
  • 61.111.25.113
  • 61.111.25.114
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FPRTSetpup.exe