File name:

unlocker-setup.exe

Full analysis: https://app.any.run/tasks/6538ca7b-e6a0-4712-b784-75159be35734
Verdict: Malicious activity
Analysis date: April 06, 2024, 06:39:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

646261D89E30C36B938DA1D7134691C9

SHA1:

B25491854B409F454277586D97D2EAD28168E6EC

SHA256:

2EFDFFD1CF3ADAB21FF760F009D8893D8C4CBCF63B2C3BFCC1139457C9CD430B

SSDEEP:

49152:3mpEKwG7f0e4qkpPNFXbMXuesDNkferBmyYwfPG:0EKwwfjYFFXNesuoPG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • unlocker-setup.exe (PID: 1836)
      • unlocker-setup.exe (PID: 2688)
      • unlocker-setup.tmp (PID: 2364)

    • Registers / Runs the DLL via REGSVR32.EXE

      • unlocker-setup.tmp (PID: 2364)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • unlocker-setup.tmp (PID: 2364)

    • Reads the Windows owner or organization settings

      • unlocker-setup.tmp (PID: 2364)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 796)

    • Reads security settings of Internet Explorer

      • IObitUnlocker.exe (PID: 2072)
      • IObitUnlocker.exe (PID: 844)
      • IObitUnlocker.exe (PID: 552)

    • Reads settings of System Certificates

      • IObitUnlocker.exe (PID: 2072)
      • IObitUnlocker.exe (PID: 552)
      • IObitUnlocker.exe (PID: 844)

    • Non-standard symbols in registry

      • unlocker-setup.tmp (PID: 2364)

    • Checks Windows Trust Settings

      • IObitUnlocker.exe (PID: 2072)
      • IObitUnlocker.exe (PID: 552)
      • IObitUnlocker.exe (PID: 844)

    • Adds/modifies Windows certificates

      • IObitUnlocker.exe (PID: 2072)

  • INFO

    • Checks supported languages

      • unlocker-setup.exe (PID: 1836)
      • unlocker-setup.tmp (PID: 2580)
      • unlocker-setup.exe (PID: 2688)
      • unlocker-setup.tmp (PID: 2364)
      • IObitUnlocker.exe (PID: 2072)
      • IObitUnlocker.exe (PID: 552)
      • IObitUnlocker.exe (PID: 844)

    • Reads the computer name

      • unlocker-setup.tmp (PID: 2580)
      • unlocker-setup.tmp (PID: 2364)
      • IObitUnlocker.exe (PID: 2072)
      • IObitUnlocker.exe (PID: 844)
      • IObitUnlocker.exe (PID: 552)

    • Create files in a temporary directory

      • unlocker-setup.exe (PID: 2688)
      • unlocker-setup.exe (PID: 1836)
      • unlocker-setup.tmp (PID: 2364)

    • Creates files in the program directory

      • unlocker-setup.tmp (PID: 2364)
      • IObitUnlocker.exe (PID: 2072)

    • Reads the software policy settings

      • IObitUnlocker.exe (PID: 2072)
      • IObitUnlocker.exe (PID: 552)
      • IObitUnlocker.exe (PID: 844)

    • Manual execution by a user

      • IObitUnlocker.exe (PID: 1848)
      • explorer.exe (PID: 1572)
      • IObitUnlocker.exe (PID: 844)
      • IObitUnlocker.exe (PID: 1780)
      • IObitUnlocker.exe (PID: 552)

    • Reads the machine GUID from the registry

      • IObitUnlocker.exe (PID: 2072)
      • IObitUnlocker.exe (PID: 552)
      • IObitUnlocker.exe (PID: 844)

    • Creates a software uninstall entry

      • unlocker-setup.tmp (PID: 2364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (57.2)
.exe | Win32 Executable (generic) (18.2)
.exe | Win16/32 Executable Delphi generic (8.3)
.exe | Generic Win/DOS Executable (8)
.exe | DOS Executable Generic (8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:07:16 13:24:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 65024
InitializedDataSize: 73728
UninitializedDataSize: -
EntryPoint: 0x113bc
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.3.0.11
ProductVersionNumber: 1.3.0.11
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: IObit
FileDescription: IObit Unlocker Setup
FileVersion: 1.3.0.11
LegalCopyright: © IObit. All rights reserved.
ProductName: IObit Unlocker
ProductVersion: 1.3.0.11
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
11
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start unlocker-setup.exe no specs unlocker-setup.tmp no specs unlocker-setup.exe unlocker-setup.tmp no specs regsvr32.exe no specs iobitunlocker.exe explorer.exe no specs iobitunlocker.exe no specs iobitunlocker.exe iobitunlocker.exe no specs iobitunlocker.exe

Process information

PID
CMD
Path
Indicators
Parent process
552"C:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exe" /MenuC:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exe
explorer.exe
User:
admin
Company:
IObit Information Technology
Integrity Level:
HIGH
Description:
Unlocker
Version:
1.6.0.16
Modules
Images
c:\program files\iobit\iobit unlocker\iobitunlocker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
796"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\IObit\IObit Unlocker\IObitUnlockerExtension.dll"C:\Windows\System32\regsvr32.exeunlocker-setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
844"C:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exe" /MenuC:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exe
explorer.exe
User:
admin
Company:
IObit Information Technology
Integrity Level:
HIGH
Description:
Unlocker
Exit code:
0
Version:
1.6.0.16
Modules
Images
c:\program files\iobit\iobit unlocker\iobitunlocker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1572"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1780"C:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exe" /MenuC:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exeexplorer.exe
User:
admin
Company:
IObit Information Technology
Integrity Level:
MEDIUM
Description:
Unlocker
Exit code:
3221226540
Version:
1.6.0.16
Modules
Images
c:\program files\iobit\iobit unlocker\iobitunlocker.exe
c:\windows\system32\ntdll.dll
1836"C:\Users\admin\Desktop\unlocker-setup.exe" C:\Users\admin\Desktop\unlocker-setup.exeexplorer.exe
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
IObit Unlocker Setup
Exit code:
0
Version:
1.3.0.11
Modules
Images
c:\users\admin\desktop\unlocker-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1848"C:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exe" /MenuC:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exeexplorer.exe
User:
admin
Company:
IObit Information Technology
Integrity Level:
MEDIUM
Description:
Unlocker
Exit code:
3221226540
Version:
1.6.0.16
Modules
Images
c:\program files\iobit\iobit unlocker\iobitunlocker.exe
c:\windows\system32\ntdll.dll
2072"C:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exe"C:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exe
unlocker-setup.tmp
User:
admin
Company:
IObit Information Technology
Integrity Level:
HIGH
Description:
Unlocker
Exit code:
0
Version:
1.6.0.16
Modules
Images
c:\program files\iobit\iobit unlocker\iobitunlocker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2364"C:\Users\admin\AppData\Local\Temp\is-PQLRR.tmp\unlocker-setup.tmp" /SL5="$120176,1689069,139776,C:\Users\admin\Desktop\unlocker-setup.exe" /SPAWNWND=$F0214 /NOTIFYWND=$E0170 C:\Users\admin\AppData\Local\Temp\is-PQLRR.tmp\unlocker-setup.tmpunlocker-setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-pqlrr.tmp\unlocker-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2580"C:\Users\admin\AppData\Local\Temp\is-K0MGO.tmp\unlocker-setup.tmp" /SL5="$E0170,1689069,139776,C:\Users\admin\Desktop\unlocker-setup.exe" C:\Users\admin\AppData\Local\Temp\is-K0MGO.tmp\unlocker-setup.tmpunlocker-setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-k0mgo.tmp\unlocker-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
13 325
Read events
13 234
Write events
80
Delete events
11

Modification events

(PID) Process:(2364) unlocker-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
3C09000046C30D2EED87DA01
(PID) Process:(2364) unlocker-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
B22AAEF4BC4D199B7DBA0E8C8BD04EC6C76CC27BA9B1637F143BE579940CDF64
(PID) Process:(2364) unlocker-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(2364) unlocker-setup.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CrashControl
Operation:writeName:CrashDumpEnabled
Value:
2
(PID) Process:(2364) unlocker-setup.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CrashControl
Operation:writeName:MinidumpDir
Value:
%SystemRoot%\Minidump
(PID) Process:(2364) unlocker-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exe
(PID) Process:(2364) unlocker-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
BCAD8DCEBC55475EE75EAA792FF368D326E0A840A08463A900CF26B6232106C7
(PID) Process:(796) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\PfShellExtension.DLL
Operation:writeName:AppID
Value:
{59A55EF0-525F-4276-AB62-8F7E5F230399}
(PID) Process:(796) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(796) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Operation:writeName:{410BF280-86EF-4E0F-8279-EC5848546AD3}
Value:
UnLockerMenu
Executable files
17
Suspicious files
4
Text files
55
Unknown types
1

Dropped files

PID
Process
Filename
Type
1836unlocker-setup.exeC:\Users\admin\AppData\Local\Temp\is-K0MGO.tmp\unlocker-setup.tmpexecutable
MD5:
SHA256:
2688unlocker-setup.exeC:\Users\admin\AppData\Local\Temp\is-PQLRR.tmp\unlocker-setup.tmpexecutable
MD5:
SHA256:
2364unlocker-setup.tmpC:\Users\admin\AppData\Local\Temp\is-R5U3C.tmp\_isetup\_shfoldr.dllexecutable
MD5:
SHA256:
2364unlocker-setup.tmpC:\Users\admin\AppData\Local\Temp\is-R5U3C.tmp\RdZone.dllexecutable
MD5:
SHA256:
2364unlocker-setup.tmpC:\Users\admin\AppData\Local\Temp\is-R5U3C.tmp\IObitUnlocker.dllexecutable
MD5:
SHA256:
2364unlocker-setup.tmpC:\Users\admin\AppData\Local\Temp\is-R5U3C.tmp\Inno_English.lngtext
MD5:
SHA256:
2364unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\is-8TC38.tmpexecutable
MD5:
SHA256:
2364unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\unins000.exeexecutable
MD5:
SHA256:
2364unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\is-2JSKU.tmpexecutable
MD5:
SHA256:
2364unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2072
IObitUnlocker.exe
POST
200
152.199.20.140:80
http://update.iobit.com/infofiles/iobitunlocker.upt
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2072
IObitUnlocker.exe
152.199.20.140:80
update.iobit.com
EDGECAST
US
unknown

DNS requests

Domain
IP
Reputation
update.iobit.com
  • 152.199.20.140
whitelisted

Threats

No threats detected
Process
Message
IObitUnlocker.exe
ParamStr(1):
IObitUnlocker.exe
C:\ProgramData\IObit\IObit Unlocker\temp.cds
IObitUnlocker.exe
C:\ProgramData\IObit\IObit Unlocker\temp.cds
IObitUnlocker.exe
DeleteFile
IObitUnlocker.exe
ParamStr(1):/Menu
IObitUnlocker.exe
C:\ProgramData\IObit\IObit Unlocker\temp.cds
IObitUnlocker.exe
DeleteFile
IObitUnlocker.exe
ParamStr(1):/Menu
IObitUnlocker.exe
DriverDumpInfo Path:C:\Users
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
unlocker-setup.exe