File name:

EzExtractSetup.exe

Full analysis: https://app.any.run/tasks/ebe7e78d-c745-4845-b077-0f1970202f9c
Verdict: Malicious activity
Analysis date: May 12, 2025, 11:43:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

7399EBE1E1B9C99F3CB4A2521D424384

SHA1:

7A560782421FEB72B1E84F162CF0ABD0809FDA28

SHA256:

4704846C5605552A2573AEB62F176630FD2BA5498457420C3FB36A27CAE6800F

SSDEEP:

98304:QBXfMTSPotXjLlZa6XloPaUP0KsdzGP5shhrLAvKxKEczZRNNYyWs0CbXnoGAyvp:QioCUm5m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • EzExtractSetup.exe (PID: 4560)

    • The DLL Hijacking

      • regsvr32.exe (PID: 2384)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • EzExtractSetup.exe (PID: 4560)
      • EzExtractProApp.exe (PID: 2064)
      • EzExtractProApp.exe (PID: 4776)

    • Executable content was dropped or overwritten

      • EzExtractSetup.exe (PID: 4560)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • EzExtractSetup.exe (PID: 4560)

    • There is functionality for taking screenshot (YARA)

      • EzExtractSetup.exe (PID: 4560)

    • The process creates files with name similar to system file names

      • EzExtractSetup.exe (PID: 4560)

    • Creates a software uninstall entry

      • EzExtractSetup.exe (PID: 4560)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 2384)
      • regsvr32.exe (PID: 7052)

    • Explorer used for Indirect Command Execution

      • explorer.exe (PID: 960)

  • INFO

    • The sample compiled with english language support

      • EzExtractSetup.exe (PID: 4560)

    • Reads the machine GUID from the registry

      • EzExtractSetup.exe (PID: 4560)
      • EzExtractProApp.exe (PID: 4776)
      • EzExtractProApp.exe (PID: 2064)

    • Checks supported languages

      • EzExtractSetup.exe (PID: 4560)
      • EzExtractProApp.exe (PID: 4776)
      • EzExtractProApp.exe (PID: 2064)

    • Reads the computer name

      • EzExtractSetup.exe (PID: 4560)
      • EzExtractProApp.exe (PID: 4776)
      • EzExtractProApp.exe (PID: 2064)

    • Checks proxy server information

      • EzExtractSetup.exe (PID: 4560)

    • Create files in a temporary directory

      • EzExtractSetup.exe (PID: 4560)

    • Reads the software policy settings

      • EzExtractSetup.exe (PID: 4560)
      • slui.exe (PID: 1568)

    • Creates files or folders in the user directory

      • EzExtractSetup.exe (PID: 4560)

    • Creates files in the program directory

      • EzExtractSetup.exe (PID: 4560)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 6512)

    • Manual execution by a user

      • EzExtractProApp.exe (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:58:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Empire Security Services Inc
FileDescription: EzExtractPro
FileVersion: 1.0.0.1
LegalCopyright: Copyright © Empire Security Services Inc 2024
ProductName: EzExtractPro
ProductVersion: 1.0.0.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
12
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ezextractsetup.exe sppextcomobj.exe no specs slui.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs explorer.exe no specs explorer.exe no specs slui.exe no specs ezextractproapp.exe no specs ezextractproapp.exe no specs ezextractsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
960"C:\WINDOWS\explorer.exe" "C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"C:\Windows\explorer.exeEzExtractSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
1132"C:\Users\admin\Desktop\EzExtractSetup.exe" C:\Users\admin\Desktop\EzExtractSetup.exeexplorer.exe
User:
admin
Company:
Empire Security Services Inc
Integrity Level:
MEDIUM
Description:
EzExtractPro
Exit code:
3221226540
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\ezextractsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1568"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2064"C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe" C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exeexplorer.exe
User:
admin
Company:
Empire Security Services Inc
Integrity Level:
MEDIUM
Description:
EzExtractPro
Version:
1.0.0.1
Modules
Images
c:\program files (x86)\ezextractpro\ezextractproapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2384C:\WINDOWS\system32\regsvr32.exe /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell32.dll"C:\Windows\SysWOW64\regsvr32.exeEzExtractSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2772C:\WINDOWS\system32\regsvr32.exe /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell.dll"C:\Windows\SysWOW64\regsvr32.exeEzExtractSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4016C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4560"C:\Users\admin\Desktop\EzExtractSetup.exe" C:\Users\admin\Desktop\EzExtractSetup.exe
explorer.exe
User:
admin
Company:
Empire Security Services Inc
Integrity Level:
HIGH
Description:
EzExtractPro
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\ezextractsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4776"C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe" C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exeexplorer.exe
User:
admin
Company:
Empire Security Services Inc
Integrity Level:
MEDIUM
Description:
EzExtractPro
Version:
1.0.0.1
Modules
Images
c:\program files (x86)\ezextractpro\ezextractproapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5212C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
Total events
7 633
Read events
7 500
Write events
127
Delete events
6

Modification events

(PID) Process:(4560) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4560) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4560) EzExtractSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4560) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EzExtractPro
Operation:writeName:InstallPath
Value:
C:\Program Files (x86)\EzExtractPro
(PID) Process:(4560) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:DisplayName
Value:
EzExtractPro 1.0.0.1
(PID) Process:(4560) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:InstallDate
Value:
20250512
(PID) Process:(4560) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\EzExtractPro\
(PID) Process:(4560) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\EzExtractPro\uninstall.exe
(PID) Process:(4560) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:DisplayVersion
Value:
1.0.0.1
(PID) Process:(4560) EzExtractSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EzExtractPro
Operation:writeName:Publisher
Value:
Copyright © Empire Security Services Inc 2024
Executable files
9
Suspicious files
7
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4560EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nst24CC.tmp
MD5:
SHA256:
4560EzExtractSetup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\EzExtractPro\EzExtractPro.lnkbinary
MD5:A7202D2A955BEF264BAF50173C83E058
SHA256:717CC234C67C3171F62181356DD9021209E8B3EF9B1CDF7DA2D47D9A99FD4454
4560EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nst24CD.tmp\NsisPlugin.dllexecutable
MD5:1D0E98E6817A35237509731E1398B47A
SHA256:23ABC9395B36419700F31B507F13A189EC2EEB70C7E1A1FE9406C2B9E0728298
4560EzExtractSetup.exeC:\Program Files (x86)\EzExtractPro\EzExtractProCoreDll.dllexecutable
MD5:EDE6796697ABFD295B96322048642A69
SHA256:6F9B0B8E8D1EFBE25B81B0676A5902EC97AAC1BFDC84A1A2D1B58659EB44DC5D
4560EzExtractSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:BAF674D156EEBC57E164D5B6E64EA8F6
SHA256:730EB45CE41BE48C48301BEBB6740805E5E6C7D80D392BC2EB48603D2A738E05
4560EzExtractSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:4A90329071AE30B759D279CCA342B0A6
SHA256:4F544379EDA8E2653F71472AB968AEFD6B5D1F4B3CE28A5EDB14196184ED3B60
4560EzExtractSetup.exeC:\Users\Public\Desktop\EzExtractPro.lnkbinary
MD5:EAD9842482DBAA5CD3B25C1FEAC9F174
SHA256:A6F48B4B35238EC6D1D9F19E782916027D4F42CF50E72D48D1981961B8014682
4560EzExtractSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
4560EzExtractSetup.exeC:\Users\admin\AppData\Local\Temp\nst24CD.tmp\nsDialogs.dllexecutable
MD5:6C3F8C94D0727894D706940A8A980543
SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
4560EzExtractSetup.exeC:\Program Files (x86)\EzExtractPro\EzExtractProShell.dllexecutable
MD5:968E162057C49C860813E465BFD3C2FA
SHA256:08CCD848487F570175E3C5B8FA70B04CE30E3AFB9F43B4105180E2EB079C85C6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
25
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.191:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4560
EzExtractSetup.exe
GET
200
142.250.185.99:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
4560
EzExtractSetup.exe
GET
200
142.250.185.99:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
5868
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5868
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.190.160.20:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.20:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.191:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4560
EzExtractSetup.exe
104.21.32.2:443
ezextractinstaller.com
CLOUDFLARENET
unknown
4560
EzExtractSetup.exe
142.250.185.99:80
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.191
  • 23.48.23.138
  • 23.48.23.192
  • 23.48.23.147
  • 23.48.23.181
  • 23.48.23.146
  • 23.48.23.190
  • 23.48.23.145
  • 23.48.23.180
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
ezextractinstaller.com
  • 104.21.32.2
  • 172.67.181.227
unknown
c.pki.goog
  • 142.250.185.99
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EzExtractSetup.exe