File name:

unConfuserEx.7z

Full analysis: https://app.any.run/tasks/4c5b1aec-cd2c-4689-8361-f295c9c93f29
Verdict: No threats detected
Analysis date: August 14, 2019, 05:34:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

EC1E60273020EBC07155FCCD7520F3D7

SHA1:

682EB7D67325EBC2EB49C8F577AC1510B5860FE4

SHA256:

8473081D2E7670BEE1FD116F6018065BCAA60D07F2377ADAA439B18C54D1FC48

SSDEEP:

24576:oqPdGo7+o9BdEM8iMGTWSeEwJTvFuCaFQRtU:L/Xz+MrMLcDC+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Manual execution by user

      • ConfuserExCallFixer.exe (PID: 3504)
      • ConfuserExConstantDecryptor.exe (PID: 2780)
      • ConfuserExExpressionKiller.exe (PID: 3616)
      • ConfuserExFixer.exe (PID: 1748)
      • ConfuserExMethodsDecryptor.exe (PID: 3288)
      • ConfuserExCfgKiller.exe (PID: 3976)
      • ConfuserExceptionsRestore.exe (PID: 2112)
      • ConfuserExDupPopPatcher.exe (PID: 2152)
      • ConfuserExSwitchKiller.exe (PID: 3196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
59
Monitored processes
10
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs confuserexcallfixer.exe confuserexceptionsrestore.exe confuserexcfgkiller.exe confuserexconstantdecryptor.exe confuserexduppoppatcher.exe confuserexexpressionkiller.exe confuserexfixer.exe confuserexswitchkiller.exe confuserexmethodsdecryptor.exe

Process information

PID
CMD
Path
Indicators
Parent process
1748"C:\Users\admin\Desktop\unConfuserEx\ConfuserExFixer.exe" C:\Users\admin\Desktop\unConfuserEx\ConfuserExFixer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
ConfuserExFixer
Exit code:
0
Version:
1.0.5236.27565
Modules
Images
c:\users\admin\desktop\unconfuserex\confuserexfixer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2112"C:\Users\admin\Desktop\unConfuserEx\ConfuserExceptionsRestore.exe" C:\Users\admin\Desktop\unConfuserEx\ConfuserExceptionsRestore.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Confuser_Methods_Decryptor
Exit code:
0
Version:
1.0.5996.14883
Modules
Images
c:\users\admin\desktop\unconfuserex\confuserexceptionsrestore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2152"C:\Users\admin\Desktop\unConfuserEx\ConfuserExDupPopPatcher.exe" C:\Users\admin\Desktop\unConfuserEx\ConfuserExDupPopPatcher.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
ProperReturnPatcher
Exit code:
0
Version:
1.0.5239.40294
Modules
Images
c:\users\admin\desktop\unconfuserex\confuserexduppoppatcher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2620"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\unConfuserEx.7z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2780"C:\Users\admin\Desktop\unConfuserEx\ConfuserExConstantDecryptor.exe" C:\Users\admin\Desktop\unConfuserEx\ConfuserExConstantDecryptor.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
ConfuserExStringDecryptor
Exit code:
0
Version:
1.0.5621.22753
Modules
Images
c:\users\admin\desktop\unconfuserex\confuserexconstantdecryptor.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3196"C:\Users\admin\Desktop\unConfuserEx\ConfuserExSwitchKiller.exe" C:\Users\admin\Desktop\unConfuserEx\ConfuserExSwitchKiller.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
ConfuserExSwitchKiller
Exit code:
0
Version:
1.0.5598.39755
Modules
Images
c:\users\admin\desktop\unconfuserex\confuserexswitchkiller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3288"C:\Users\admin\Desktop\unConfuserEx\ConfuserEX Unpack\ConfuserExMethodsDecryptor.exe" C:\Users\admin\Desktop\unConfuserEx\ConfuserEX Unpack\ConfuserExMethodsDecryptor.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Confuser_Methods_Decryptor
Exit code:
0
Version:
1.0.5256.39453
Modules
Images
c:\users\admin\desktop\unconfuserex\confuserex unpack\confuserexmethodsdecryptor.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3504"C:\Users\admin\Desktop\unConfuserEx\ConfuserExCallFixer.exe" C:\Users\admin\Desktop\unConfuserEx\ConfuserExCallFixer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
ProperReturnPatcher
Exit code:
0
Version:
1.0.5633.28923
Modules
Images
c:\users\admin\desktop\unconfuserex\confuserexcallfixer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3616"C:\Users\admin\Desktop\unConfuserEx\ConfuserExExpressionKiller.exe" C:\Users\admin\Desktop\unConfuserEx\ConfuserExExpressionKiller.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
ConfuserExSwitchKiller
Exit code:
0
Version:
1.0.5623.28394
Modules
Images
c:\users\admin\desktop\unconfuserex\confuserexexpressionkiller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3976"C:\Users\admin\Desktop\unConfuserEx\ConfuserExCfgKiller.exe" C:\Users\admin\Desktop\unConfuserEx\ConfuserExCfgKiller.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
ConfuserExStringDecryptor
Exit code:
0
Version:
1.0.5621.28469
Modules
Images
c:\users\admin\desktop\unconfuserex\confuserexcfgkiller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 010
Read events
958
Write events
51
Delete events
1

Modification events

(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2620) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\unConfuserEx.7z
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.40775\unConfuserEx\ConfuserEX Unpack\ConfuserExMethodsDecryptor.exe.config
MD5:
SHA256:
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.40775\unConfuserEx\ConfuserExceptionsRestore.exe.config
MD5:
SHA256:
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.40775\unConfuserEx\ConfuserExCfgKiller.exe.config
MD5:
SHA256:
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.40775\unConfuserEx\ConfuserExConstantDecryptor.exe.config
MD5:
SHA256:
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.40775\unConfuserEx\ConfuserEX Unpack\ConfuserExMethodsDecryptor.exe
MD5:
SHA256:
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.40775\unConfuserEx\ConfuserEX Unpack\dnlib.dll
MD5:
SHA256:
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.40775\unConfuserEx\ConfuserExCallFixer.exe
MD5:
SHA256:
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.40775\unConfuserEx\ConfuserExceptionsRestore.exe
MD5:
SHA256:
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.40775\unConfuserEx\ConfuserExCfgKiller.exe
MD5:
SHA256:
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.40775\unConfuserEx\ConfuserExConstantDecryptor.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
unConfuserEx.7z