File name:

EzExtractSetup.exe

Full analysis: https://app.any.run/tasks/5aa1dcb6-cb2e-43bd-a59c-f37840fbeb0e
Verdict: Malicious activity
Analysis date: March 25, 2025, 00:51:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
confuser
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

7399EBE1E1B9C99F3CB4A2521D424384

SHA1:

7A560782421FEB72B1E84F162CF0ABD0809FDA28

SHA256:

4704846C5605552A2573AEB62F176630FD2BA5498457420C3FB36A27CAE6800F

SSDEEP:

98304:QBXfMTSPotXjLlZa6XloPaUP0KsdzGP5shhrLAvKxKEczZRNNYyWs0CbXnoGAyvp:QioCUm5m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • The DLL Hijacking

      • regsvr32.exe (PID: 6712)

    • Registers / Runs the DLL via REGSVR32.EXE

      • EzExtractSetup.exe (PID: 7456)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • EzExtractSetup.exe (PID: 7456)
      • EzExtractProApp.exe (PID: 1348)

    • Executable content was dropped or overwritten

      • EzExtractSetup.exe (PID: 7456)

    • The process creates files with name similar to system file names

      • EzExtractSetup.exe (PID: 7456)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • EzExtractSetup.exe (PID: 7456)

    • There is functionality for taking screenshot (YARA)

      • EzExtractSetup.exe (PID: 7456)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 6712)
      • regsvr32.exe (PID: 2284)

    • Creates a software uninstall entry

      • EzExtractSetup.exe (PID: 7456)

    • Explorer used for Indirect Command Execution

      • explorer.exe (PID: 7304)

  • INFO

    • Checks supported languages

      • EzExtractSetup.exe (PID: 7456)
      • EzExtractProApp.exe (PID: 1348)

    • The sample compiled with english language support

      • EzExtractSetup.exe (PID: 7456)

    • Reads the computer name

      • EzExtractSetup.exe (PID: 7456)
      • EzExtractProApp.exe (PID: 1348)

    • Reads the machine GUID from the registry

      • EzExtractSetup.exe (PID: 7456)
      • EzExtractProApp.exe (PID: 1348)

    • Checks proxy server information

      • EzExtractSetup.exe (PID: 7456)

    • Reads the software policy settings

      • EzExtractSetup.exe (PID: 7456)
      • slui.exe (PID: 7616)

    • Creates files or folders in the user directory

      • EzExtractSetup.exe (PID: 7456)
      • EzExtractProApp.exe (PID: 1348)

    • Create files in a temporary directory

      • EzExtractSetup.exe (PID: 7456)

    • Creates files in the program directory

      • EzExtractSetup.exe (PID: 7456)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 7432)

    • Manual execution by a user

      • mspaint.exe (PID: 3888)
      • mspaint.exe (PID: 7880)

    • Confuser has been detected (YARA)

      • EzExtractProApp.exe (PID: 1348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:58:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Empire Security Services Inc
FileDescription: EzExtractPro
FileVersion: 1.0.0.1
LegalCopyright: Copyright © Empire Security Services Inc 2024
ProductName: EzExtractPro
ProductVersion: 1.0.0.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
13
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ezextractsetup.exe sppextcomobj.exe no specs slui.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs explorer.exe no specs explorer.exe no specs ezextractproapp.exe no specs mspaint.exe no specs mspaint.exe no specs slui.exe no specs ezextractsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1348"C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe" C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exeexplorer.exe
User:
admin
Company:
Empire Security Services Inc
Integrity Level:
MEDIUM
Description:
EzExtractPro
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files (x86)\ezextractpro\ezextractproapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2284 /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3888"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\insteadannouncements.png"C:\Windows\System32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5072C:\WINDOWS\system32\regsvr32.exe /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell.dll"C:\Windows\SysWOW64\regsvr32.exeEzExtractSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6712C:\WINDOWS\system32\regsvr32.exe /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell32.dll"C:\Windows\SysWOW64\regsvr32.exeEzExtractSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7304"C:\WINDOWS\explorer.exe" "C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"C:\Windows\explorer.exeEzExtractSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
7352"C:\Users\admin\AppData\Local\Temp\EzExtractSetup.exe" C:\Users\admin\AppData\Local\Temp\EzExtractSetup.exeexplorer.exe
User:
admin
Company:
Empire Security Services Inc
Integrity Level:
MEDIUM
Description:
EzExtractPro
Exit code:
3221226540
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\ezextractsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7432C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
7456"C:\Users\admin\AppData\Local\Temp\EzExtractSetup.exe" C:\Users\admin\AppData\Local\Temp\EzExtractSetup.exe
explorer.exe
User:
admin
Company:
Empire Security Services Inc
Integrity Level:
HIGH
Description:
EzExtractPro
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\ezextractsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7584C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
Total events
4 467
Read events
4 386
Write events
79
Delete events
2

Modification events

(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EzExtractPro
Operation:writeName:InstallPath
Value:
C:\Program Files (x86)\EzExtractPro
(PID) Process:(6712) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D983473-BB31-4609-9F85-3A93CE453FC7}\InProcServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(6712) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D983473-BB31-4609-9F85-3A93CE453FC7}
Operation:writeName:ManualSafeSave
Value:
1
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:DisplayName
Value:
EzExtractPro 1.0.0.1
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:InstallDate
Value:
20250325
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\EzExtractPro\
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\EzExtractPro\uninstall.exe
Executable files
9
Suspicious files
7
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7456EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nscBD09.tmp
MD5:
SHA256:
7456EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nscBD0A.tmp\NsisPlugin.dllexecutable
MD5:1D0E98E6817A35237509731E1398B47A
SHA256:23ABC9395B36419700F31B507F13A189EC2EEB70C7E1A1FE9406C2B9E0728298
7456EzExtractSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:971C514F84BBA0785F80AA1C23EDFD79
SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
7456EzExtractSetup.exeC:\Users\Public\Desktop\EzExtractPro.lnkbinary
MD5:17AF8FFF3F9BA5563C03E9D4BC67472B
SHA256:A1B7FEF711B246B7CCB32375BDB38EC7368DC35A9F6D6851D62685502A7BBD15
7456EzExtractSetup.exeC:\Program Files (x86)\EzExtractPro\EzExtractProShell.dllexecutable
MD5:968E162057C49C860813E465BFD3C2FA
SHA256:08CCD848487F570175E3C5B8FA70B04CE30E3AFB9F43B4105180E2EB079C85C6
7456EzExtractSetup.exeC:\Program Files (x86)\EzExtractPro\EzExtractProCoreDll.dllexecutable
MD5:EDE6796697ABFD295B96322048642A69
SHA256:6F9B0B8E8D1EFBE25B81B0676A5902EC97AAC1BFDC84A1A2D1B58659EB44DC5D
7456EzExtractSetup.exeC:\Program Files (x86)\EzExtractPro\uninstall.exeexecutable
MD5:99B2D2CB8CDCA9C87F41EE2B5A24BDF9
SHA256:AD9995819DD9AC48B00347F89A1EEF1D22F9EEEC90700498C79F507C1AB918AB
7456EzExtractSetup.exeC:\Program Files (x86)\EzExtractPro\EzExtractProApp.exeexecutable
MD5:3B67B6026237810356F5AEFB373D2B15
SHA256:554EF8F1D2B201421A53DBBF897FCBEA20DBBA9D6E8FA881AD0B52BE60C11F5E
7456EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nscBD0A.tmp\nsDialogs.dllexecutable
MD5:6C3F8C94D0727894D706940A8A980543
SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
7456EzExtractSetup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\EzExtractPro\Uninstall EzExtractPro.lnkbinary
MD5:C92BDEA4DADA3FA5DF49C2E027A06CF8
SHA256:A67F403E28457360211E53117C969C1595E9E083DFB8A5FE1D8D18C4220C95CF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
25
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7456
EzExtractSetup.exe
GET
200
216.58.212.163:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7456
EzExtractSetup.exe
GET
200
216.58.212.163:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7676
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7536
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7536
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7456
EzExtractSetup.exe
104.21.32.2:443
ezextractinstaller.com
CLOUDFLARENET
unknown
7456
EzExtractSetup.exe
216.58.212.163:80
GOOGLE
US
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
7676
backgroundTaskHost.exe
20.223.36.55:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
ezextractinstaller.com
  • 104.21.32.2
  • 172.67.181.227
unknown
c.pki.goog
  • 52.111.236.21
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.128
  • 20.190.159.68
  • 40.126.31.69
  • 40.126.31.2
  • 40.126.31.67
  • 40.126.31.129
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EzExtractSetup.exe