File name:

EzExtractSetup.exe

Full analysis: https://app.any.run/tasks/aba5ae23-7935-42ef-9fac-01380c94dca6
Verdict: Malicious activity
Analysis date: August 11, 2024, 16:16:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

7399EBE1E1B9C99F3CB4A2521D424384

SHA1:

7A560782421FEB72B1E84F162CF0ABD0809FDA28

SHA256:

4704846C5605552A2573AEB62F176630FD2BA5498457420C3FB36A27CAE6800F

SSDEEP:

98304:QBXfMTSPotXjLlZa6XloPaUP0KsdzGP5shhrLAvKxKEczZRNNYyWs0CbXnoGAyvp:QioCUm5m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • EzExtractSetup.exe (PID: 6468)

    • The DLL Hijacking

      • regsvr32.exe (PID: 7140)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • EzExtractSetup.exe (PID: 6468)

    • Reads security settings of Internet Explorer

      • EzExtractSetup.exe (PID: 6468)
      • EzExtractProApp.exe (PID: 4788)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • EzExtractSetup.exe (PID: 6468)

    • Checks Windows Trust Settings

      • EzExtractSetup.exe (PID: 6468)

    • Executable content was dropped or overwritten

      • EzExtractSetup.exe (PID: 6468)

    • The process creates files with name similar to system file names

      • EzExtractSetup.exe (PID: 6468)

    • Creates a software uninstall entry

      • EzExtractSetup.exe (PID: 6468)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 7140)
      • regsvr32.exe (PID: 6204)

    • Explorer used for Indirect Command Execution

      • explorer.exe (PID: 4692)

  • INFO

    • Reads the machine GUID from the registry

      • EzExtractSetup.exe (PID: 6468)
      • EzExtractProApp.exe (PID: 4788)

    • Creates files in the program directory

      • EzExtractSetup.exe (PID: 6468)

    • Checks supported languages

      • EzExtractSetup.exe (PID: 6468)
      • EzExtractProApp.exe (PID: 4788)

    • Reads the computer name

      • EzExtractSetup.exe (PID: 6468)
      • EzExtractProApp.exe (PID: 4788)

    • Create files in a temporary directory

      • EzExtractSetup.exe (PID: 6468)

    • Checks proxy server information

      • EzExtractSetup.exe (PID: 6468)

    • Reads the software policy settings

      • EzExtractSetup.exe (PID: 6468)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 6296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:58:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Empire Security Services Inc
FileDescription: EzExtractPro
FileVersion: 1.0.0.1
LegalCopyright: Copyright © Empire Security Services Inc 2024
ProductName: EzExtractPro
ProductVersion: 1.0.0.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ezextractsetup.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs explorer.exe no specs explorer.exe no specs ezextractproapp.exe no specs ezextractsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4692"C:\WINDOWS\explorer.exe" "C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"C:\Windows\explorer.exeEzExtractSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
4788"C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe" C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exeexplorer.exe
User:
admin
Company:
Empire Security Services Inc
Integrity Level:
MEDIUM
Description:
EzExtractPro
Version:
1.0.0.1
Modules
Images
c:\program files (x86)\ezextractpro\ezextractproapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6204 /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6296C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
6416"C:\Users\admin\Desktop\EzExtractSetup.exe" C:\Users\admin\Desktop\EzExtractSetup.exeexplorer.exe
User:
admin
Company:
Empire Security Services Inc
Integrity Level:
MEDIUM
Description:
EzExtractPro
Exit code:
3221226540
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\ezextractsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6468"C:\Users\admin\Desktop\EzExtractSetup.exe" C:\Users\admin\Desktop\EzExtractSetup.exe
explorer.exe
User:
admin
Company:
Empire Security Services Inc
Integrity Level:
HIGH
Description:
EzExtractPro
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\ezextractsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7140C:\WINDOWS\system32\regsvr32.exe /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell32.dll"C:\Windows\SysWOW64\regsvr32.exeEzExtractSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7164C:\WINDOWS\system32\regsvr32.exe /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell.dll"C:\Windows\SysWOW64\regsvr32.exeEzExtractSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
13 983
Read events
13 917
Write events
66
Delete events
0

Modification events

(PID) Process:(6468) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6468) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6468) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6468) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6468) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6468) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6468) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6468) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EzExtractPro
Operation:writeName:InstallPath
Value:
C:\Program Files (x86)\EzExtractPro
(PID) Process:(6468) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:DisplayName
Value:
EzExtractPro 1.0.0.1
(PID) Process:(6468) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:InstallDate
Value:
20240811
Executable files
9
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6468EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nsc7387.tmp
MD5:
SHA256:
6468EzExtractSetup.exeC:\Users\Public\Desktop\EzExtractPro.lnkbinary
MD5:05E6EAE9AE555013C1D617648E213097
SHA256:48581D147EF59B2E0E2B5222E787363FDD218C9F8AC5F9E07E7057F7736A3072
6468EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nsc7388.tmp\nsDialogs.dllexecutable
MD5:6C3F8C94D0727894D706940A8A980543
SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
6468EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nsc7388.tmp\INetC.dllexecutable
MD5:40D7ECA32B2F4D29DB98715DD45BFAC5
SHA256:85E03805F90F72257DD41BFDAA186237218BBB0EC410AD3B6576A88EA11DCCB9
6468EzExtractSetup.exeC:\Program Files (x86)\EzExtractPro\EzExtractProCoreDll.dllexecutable
MD5:EDE6796697ABFD295B96322048642A69
SHA256:6F9B0B8E8D1EFBE25B81B0676A5902EC97AAC1BFDC84A1A2D1B58659EB44DC5D
6468EzExtractSetup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\EzExtractPro\EzExtractPro.lnkbinary
MD5:5361E2AB8268059E8114B1619965CFB9
SHA256:A183E620D5F76259ECD195BEC57FB11E975D5A41B7AD74AE903BE4D701B8331B
6468EzExtractSetup.exeC:\Program Files (x86)\EzExtractPro\EzExtractProApp.exeexecutable
MD5:3B67B6026237810356F5AEFB373D2B15
SHA256:554EF8F1D2B201421A53DBBF897FCBEA20DBBA9D6E8FA881AD0B52BE60C11F5E
6468EzExtractSetup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\EzExtractPro\Uninstall EzExtractPro.lnkbinary
MD5:4D1AF5789AE059E069F9422C74D4ADB8
SHA256:DDA85277F7E562076CB9F83389C76608A135A7AB95A4275BB22FCA7B1DB1F71E
6468EzExtractSetup.exeC:\Program Files (x86)\EzExtractPro\EzExtractProShell32.dllexecutable
MD5:24BE51BCE468016E106B55B19A2CBC80
SHA256:2D3A1C7E0E6256344648A054BC5526D4804538FEF9CC87EFAB9EDB426BF1F4A6
6468EzExtractSetup.exeC:\Program Files (x86)\EzExtractPro\EzExtractProShell.dllexecutable
MD5:968E162057C49C860813E465BFD3C2FA
SHA256:08CCD848487F570175E3C5B8FA70B04CE30E3AFB9F43B4105180E2EB079C85C6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
17
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
172.67.181.227:443
https://ezextractinstaller.com/sync
unknown
binary
1 b
POST
200
104.21.32.2:443
https://ezextractinstaller.com/sync
unknown
binary
1 b
POST
200
172.67.181.227:443
https://ezextractinstaller.com/sync
unknown
binary
1 b
POST
204
104.126.37.160:443
https://www.bing.com/threshold/xls.aspx
unknown
POST
200
104.21.32.2:443
https://ezextractinstaller.com/sync
unknown
binary
1 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4084
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4016
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
6468
EzExtractSetup.exe
104.21.32.2:443
ezextractinstaller.com
CLOUDFLARENET
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4084
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.181.238
whitelisted
ezextractinstaller.com
  • 104.21.32.2
  • 172.67.181.227
unknown
www.bing.com
  • 2.23.209.140
  • 2.23.209.182
  • 2.23.209.141
  • 2.23.209.158
  • 2.23.209.149
  • 2.23.209.179
  • 2.23.209.150
  • 2.23.209.160
  • 2.23.209.183
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EzExtractSetup.exe