File name:

ConfuserEx-Unpacker-v2.0.zip

Full analysis: https://app.any.run/tasks/6fec7bc5-27c0-460c-a596-14ece9e18ac9
Verdict: Malicious activity
Analysis date: August 26, 2020, 22:51:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

98353759951B4445ACF275FA4CF61C84

SHA1:

221FD714FD7A1573349FC9F3EC82854F983FA997

SHA256:

5D285449230DAA8CFF167287A4D10FA4F25EEA26B1673B8152C2BDB840E658D3

SSDEEP:

24576:Ud151sO5lgW5v55CKbKQltXHejxx9CbuIJP:41AO5lgW5v5pbKQlNmxZIV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3464)
      • ConfuserEx-Unpacker.exe (PID: 1440)
      • ConfuserEx-Unpacker.exe (PID: 2836)

    • Application was dropped or rewritten from another process

      • ConfuserEx-Unpacker.exe (PID: 1440)
      • ConfuserEx-Unpacker.exe (PID: 2836)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3880)

  • INFO

    • Manual execution by user

      • ConfuserEx-Unpacker.exe (PID: 2836)
      • ConfuserEx-Unpacker.exe (PID: 1440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:07:14 11:25:10
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: bin/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs confuserex-unpacker.exe no specs confuserex-unpacker.exe

Process information

PID
CMD
Path
Indicators
Parent process
1440"C:\Users\admin\Desktop\bin\ConfuserEx-Unpacker.exe" C:\Users\admin\Desktop\bin\ConfuserEx-Unpacker.exeexplorer.exe
User:
admin
Company:
ElektroKill
Integrity Level:
MEDIUM
Description:
ConfuserEx Unpacker CLI
Exit code:
3221225786
Version:
2.0.0.0
Modules
Images
c:\users\admin\desktop\bin\confuserex-unpacker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2836"C:\Users\admin\Desktop\bin\ConfuserEx-Unpacker.exe" "C:\Users\Public\Desktop\FileZilla Client.lnk"C:\Users\admin\Desktop\bin\ConfuserEx-Unpacker.exe
explorer.exe
User:
admin
Company:
ElektroKill
Integrity Level:
MEDIUM
Description:
ConfuserEx Unpacker CLI
Exit code:
3762504530
Version:
2.0.0.0
Modules
Images
c:\users\admin\desktop\bin\confuserex-unpacker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3464"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3880"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ConfuserEx-Unpacker-v2.0.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
791
Read events
766
Write events
25
Delete events
0

Modification events

(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3880) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\139\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3880) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\139\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ConfuserEx-Unpacker-v2.0.zip
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3880) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\139\52C64B7E
Operation:writeName:@C:\Windows\system32\notepad.exe,-469
Value:
Text Document
Executable files
7
Suspicious files
1
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3880.12601\bin\CawkEmulatorV4.pdbpdb
MD5:85479472F26405170581456A81E24978
SHA256:ED8FC446EE511BD21D2EA4A61E615677865A10F9B91EC728C27268B1D84ECE30
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3880.12601\bin\ConfuserEx-Unpacker.exeexecutable
MD5:839A23896F4CE09D54F24C17D0464C00
SHA256:394C15F8B2063FFD60ADBC7F5AE69FD4021BC2184540B8573AAED579D01F2CE9
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3880.12601\bin\de4dot.blocks.pdbbinary
MD5:6DE9AFC62C674C14EC2F46E68CDBD019
SHA256:0D03CE5DC6C9E69B7050336FD6DCCC63B067F6AE5B007B9FC87A86F7FFB4D939
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3880.12601\bin\de4dot.blocks.dllexecutable
MD5:FE239E39FD02090AC7B1F4EA508917C1
SHA256:5C680D58D702D63A1685E5C2EEBFD2B4AABC156CAC9F6505397AB2E19651CDFE
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3880.12601\bin\ConfuserEx-Unpacker.pdbpdb
MD5:B28B57A875F9168372B90D9EC3BFE97B
SHA256:0A7CD40F42C63D65579053ECFFEEB5980D08149A1645F786F25039B3C465755A
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3880.12601\bin\SharpDisasm.dllexecutable
MD5:0F900D9190603D646009EC3523FA43CC
SHA256:6D3CE990CDF58DA228697D25416D16D15994135C5F66571FE1E00E9C975BC2CF
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3880.12601\bin\Unpacker.Core.pdbpdb
MD5:72097A0711F0FE9D79FB1300F5D3ADF3
SHA256:AB5AEDDC12DF444839DB199674236F2AE7A0AC1089A9AB6294CF92E7CF904AB0
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3880.12601\bin\dnlib.dllexecutable
MD5:D53CB95E38D5D646C42F75D496CE56CC
SHA256:874587C0F002A17869B869E18F30A9C7D03847C6A63E5A72D27143D9EF8D52BF
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3880.12601\bin\dnlib.xmlxml
MD5:E69FE104785DCD319545832EB53878CB
SHA256:2D2318E952054DD647DB1FA97A38F9E29E48A92C7137D60D0727DEF4476BE97A
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3880.12601\bin\Unpacker.Core.dllexecutable
MD5:E35B36262F36B691921C3D287909324B
SHA256:7BFF400410BF1F9F72DE4094C46925E851CE401CCA745C755E055B89C475310E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ConfuserEx-Unpacker-v2.0.zip