File name:

EzExtractSetup.exe

Full analysis: https://app.any.run/tasks/5aa1dcb6-cb2e-43bd-a59c-f37840fbeb0e
Verdict: Malicious activity
Analysis date: March 25, 2025, 00:51:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
confuser
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

7399EBE1E1B9C99F3CB4A2521D424384

SHA1:

7A560782421FEB72B1E84F162CF0ABD0809FDA28

SHA256:

4704846C5605552A2573AEB62F176630FD2BA5498457420C3FB36A27CAE6800F

SSDEEP:

98304:QBXfMTSPotXjLlZa6XloPaUP0KsdzGP5shhrLAvKxKEczZRNNYyWs0CbXnoGAyvp:QioCUm5m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • The DLL Hijacking

      • regsvr32.exe (PID: 6712)

    • Registers / Runs the DLL via REGSVR32.EXE

      • EzExtractSetup.exe (PID: 7456)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • EzExtractSetup.exe (PID: 7456)
      • EzExtractProApp.exe (PID: 1348)

    • Executable content was dropped or overwritten

      • EzExtractSetup.exe (PID: 7456)

    • The process creates files with name similar to system file names

      • EzExtractSetup.exe (PID: 7456)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • EzExtractSetup.exe (PID: 7456)

    • There is functionality for taking screenshot (YARA)

      • EzExtractSetup.exe (PID: 7456)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 6712)
      • regsvr32.exe (PID: 2284)

    • Creates a software uninstall entry

      • EzExtractSetup.exe (PID: 7456)

    • Explorer used for Indirect Command Execution

      • explorer.exe (PID: 7304)

  • INFO

    • The sample compiled with english language support

      • EzExtractSetup.exe (PID: 7456)

    • Checks supported languages

      • EzExtractSetup.exe (PID: 7456)
      • EzExtractProApp.exe (PID: 1348)

    • Reads the machine GUID from the registry

      • EzExtractSetup.exe (PID: 7456)
      • EzExtractProApp.exe (PID: 1348)

    • Reads the software policy settings

      • EzExtractSetup.exe (PID: 7456)
      • slui.exe (PID: 7616)

    • Reads the computer name

      • EzExtractSetup.exe (PID: 7456)
      • EzExtractProApp.exe (PID: 1348)

    • Checks proxy server information

      • EzExtractSetup.exe (PID: 7456)

    • Creates files or folders in the user directory

      • EzExtractSetup.exe (PID: 7456)
      • EzExtractProApp.exe (PID: 1348)

    • Create files in a temporary directory

      • EzExtractSetup.exe (PID: 7456)

    • Creates files in the program directory

      • EzExtractSetup.exe (PID: 7456)

    • Manual execution by a user

      • mspaint.exe (PID: 3888)
      • mspaint.exe (PID: 7880)

    • Confuser has been detected (YARA)

      • EzExtractProApp.exe (PID: 1348)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 7432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:58:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Empire Security Services Inc
FileDescription: EzExtractPro
FileVersion: 1.0.0.1
LegalCopyright: Copyright © Empire Security Services Inc 2024
ProductName: EzExtractPro
ProductVersion: 1.0.0.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
13
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ezextractsetup.exe sppextcomobj.exe no specs slui.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs explorer.exe no specs explorer.exe no specs ezextractproapp.exe no specs mspaint.exe no specs mspaint.exe no specs slui.exe no specs ezextractsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1348"C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe" C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exeexplorer.exe
User:
admin
Company:
Empire Security Services Inc
Integrity Level:
MEDIUM
Description:
EzExtractPro
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files (x86)\ezextractpro\ezextractproapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2284 /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3888"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\insteadannouncements.png"C:\Windows\System32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5072C:\WINDOWS\system32\regsvr32.exe /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell.dll"C:\Windows\SysWOW64\regsvr32.exeEzExtractSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6712C:\WINDOWS\system32\regsvr32.exe /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell32.dll"C:\Windows\SysWOW64\regsvr32.exeEzExtractSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7304"C:\WINDOWS\explorer.exe" "C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"C:\Windows\explorer.exeEzExtractSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
7352"C:\Users\admin\AppData\Local\Temp\EzExtractSetup.exe" C:\Users\admin\AppData\Local\Temp\EzExtractSetup.exeexplorer.exe
User:
admin
Company:
Empire Security Services Inc
Integrity Level:
MEDIUM
Description:
EzExtractPro
Exit code:
3221226540
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\ezextractsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7432C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
7456"C:\Users\admin\AppData\Local\Temp\EzExtractSetup.exe" C:\Users\admin\AppData\Local\Temp\EzExtractSetup.exe
explorer.exe
User:
admin
Company:
Empire Security Services Inc
Integrity Level:
HIGH
Description:
EzExtractPro
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\ezextractsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7584C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
Total events
4 467
Read events
4 386
Write events
79
Delete events
2

Modification events

(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EzExtractPro
Operation:writeName:InstallPath
Value:
C:\Program Files (x86)\EzExtractPro
(PID) Process:(6712) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D983473-BB31-4609-9F85-3A93CE453FC7}\InProcServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(6712) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D983473-BB31-4609-9F85-3A93CE453FC7}
Operation:writeName:ManualSafeSave
Value:
1
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:DisplayName
Value:
EzExtractPro 1.0.0.1
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:InstallDate
Value:
20250325
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\EzExtractPro\
(PID) Process:(7456) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\EzExtractPro\uninstall.exe
Executable files
9
Suspicious files
7
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7456EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nscBD09.tmp
MD5:
SHA256:
7456EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nscBD0A.tmp\NsisPlugin.dllexecutable
MD5:1D0E98E6817A35237509731E1398B47A
SHA256:23ABC9395B36419700F31B507F13A189EC2EEB70C7E1A1FE9406C2B9E0728298
7456EzExtractSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:56595A0C1C8468BCB58CD6ABC7646862
SHA256:03B1E2A31DBBCBB483113C93D806AD2E3C9D6F751D15B41C2E3E5AE3793BF35C
7456EzExtractSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:C9BE626E9715952E9B70F92F912B9787
SHA256:C13E8D22800C200915F87F71C31185053E4E60CA25DE2E41E160E09CD2D815D4
7456EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nscBD0A.tmp\INetC.dllexecutable
MD5:40D7ECA32B2F4D29DB98715DD45BFAC5
SHA256:85E03805F90F72257DD41BFDAA186237218BBB0EC410AD3B6576A88EA11DCCB9
7456EzExtractSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:971C514F84BBA0785F80AA1C23EDFD79
SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
7456EzExtractSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:C05F09C880896C83DC538D378EDF88A4
SHA256:960546AB419A691098E348933EF59291AFF98CFF273B272F3AB98AB0DCC2EAE9
7456EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nscBD0A.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
7456EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nscBD0A.tmp\nsDialogs.dllexecutable
MD5:6C3F8C94D0727894D706940A8A980543
SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
7456EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nscBD0A.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
25
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7456
EzExtractSetup.exe
GET
200
216.58.212.163:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
7456
EzExtractSetup.exe
GET
200
216.58.212.163:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7536
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7676
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7536
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7456
EzExtractSetup.exe
104.21.32.2:443
ezextractinstaller.com
CLOUDFLARENET
unknown
7456
EzExtractSetup.exe
216.58.212.163:80
GOOGLE
US
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
7676
backgroundTaskHost.exe
20.223.36.55:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
ezextractinstaller.com
  • 104.21.32.2
  • 172.67.181.227
unknown
c.pki.goog
  • 52.111.236.21
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.128
  • 20.190.159.68
  • 40.126.31.69
  • 40.126.31.2
  • 40.126.31.67
  • 40.126.31.129
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EzExtractSetup.exe