File name:

unlocker1.9.0-portable.zip

Full analysis: https://app.any.run/tasks/5eb6bffc-fa72-41ff-95ed-f5dd9cbe5788
Verdict: Malicious activity
Analysis date: July 29, 2022, 05:10:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8F7DA0D01AFD03A1E366A72C231FB3FC

SHA1:

E8ABF005D2F7658F81B1ED29A0C426F9A63637F2

SHA256:

7FB45B8AC6971CBE98D6935203E956865CD258BA02A1AC20BCE07ADAB8DBE582

SSDEEP:

1536:JanPPVYDlENY/fdyCDYmnhNfjmp6+/DybLW7LrOpF2eV1WEg9DFSoOOAP1oDByds:JmPCCk1yFsquiGV1WEu7TeWDBy4cVAG8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Unlocker.exe (PID: 3996)
      • Unlocker.exe (PID: 2688)
      • Unlocker.exe (PID: 2988)
      • Unlocker.exe (PID: 2812)

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2940)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2940)
      • Unlocker.exe (PID: 2688)
      • Unlocker.exe (PID: 2812)

    • Reads the computer name

      • WinRAR.exe (PID: 2940)
      • Unlocker.exe (PID: 2688)
      • Unlocker.exe (PID: 2812)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2940)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2940)

    • Creates or modifies windows services

      • Unlocker.exe (PID: 2688)

    • Reads default file associations for system extensions

      • WinRAR.exe (PID: 2940)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: README.TXT
ZipUncompressedSize: 1670
ZipCompressedSize: 856
ZipCRC: 0xad14dddd
ZipModifyDate: 2010:07:04 19:32:05
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start start winrar.exe unlocker.exe no specs unlocker.exe unlocker.exe no specs unlocker.exe

Process information

PID
CMD
Path
Indicators
Parent process
2688"C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.8002\x86\Unlocker.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.8002\x86\Unlocker.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2940.8002\x86\unlocker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
2812"C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.9995\x86\Unlocker.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.9995\x86\Unlocker.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2940.9995\x86\unlocker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2940"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\unlocker1.9.0-portable.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2988"C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.9995\x86\Unlocker.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.9995\x86\Unlocker.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2940.9995\x86\unlocker.exe
c:\windows\system32\ntdll.dll
3996"C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.8002\x86\Unlocker.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.8002\x86\Unlocker.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2940.8002\x86\unlocker.exe
c:\windows\system32\ntdll.dll
Total events
3 068
Read events
3 037
Write events
31
Delete events
0

Modification events

(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2940) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\unlocker1.9.0-portable.zip
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
14
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2940.8002\x64\UnlockerInject32.exeexecutable
MD5:86F2DB16FA060DA24810A9C0ADE06A6B
SHA256:1DE4AAE11D0FBB75E7ABFCC14212DEABDE404A4671D3DE7F8124F370FBD865CF
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2940.8002\x64\Unlocker.exeexecutable
MD5:4BA85F844C75293187C5A95B2DEDC7EC
SHA256:0C44365761C09C19F3C2C4EDCE69D2CAF64AA927E34DB2C71D46DB86DFBF98C8
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2940.8002\x86\UnlockerAssistant.exeexecutable
MD5:255E405D801CF01247390F38F92D8042
SHA256:B0A4C2B6F40D7AD177DBD40C26B579D67CC9A95552970D9F6F0C7DE372CE2A2F
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2940.8002\x86\Unlocker.exeexecutable
MD5:51DFAF518ABE1B24AA409CEF12D7D0AB
SHA256:9ACEC97CCABADFFCF774B58B0B12DE531AB541C6530069B1664270BDEDC1051F
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2940.9995\x86\Unlocker.exeexecutable
MD5:51DFAF518ABE1B24AA409CEF12D7D0AB
SHA256:9ACEC97CCABADFFCF774B58B0B12DE531AB541C6530069B1664270BDEDC1051F
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2940.9995\README.TXTtext
MD5:8ABEC0AB86416FF2F1ACABBC67D37C42
SHA256:B9DF34C6263B0EB26B186A50EC87A7C8BBE22CFE87B5EE8337701494CC0E720C
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2940.9995\x64\Unlocker.exeexecutable
MD5:4BA85F844C75293187C5A95B2DEDC7EC
SHA256:0C44365761C09C19F3C2C4EDCE69D2CAF64AA927E34DB2C71D46DB86DFBF98C8
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2940.9995\x64\UnlockerInject32.exeexecutable
MD5:86F2DB16FA060DA24810A9C0ADE06A6B
SHA256:1DE4AAE11D0FBB75E7ABFCC14212DEABDE404A4671D3DE7F8124F370FBD865CF
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2940.9995\x64\UnlockerDriver5.sysexecutable
MD5:9DC07E73A4ABB9ACF692113B36A5009F
SHA256:CA7176FC219515D58DCFA66EC61880ECE5617275C9B83701BB74D8B60E733D34
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2940.8002\x64\UnlockerDriver5.sysexecutable
MD5:9DC07E73A4ABB9ACF692113B36A5009F
SHA256:CA7176FC219515D58DCFA66EC61880ECE5617275C9B83701BB74D8B60E733D34
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
unlocker1.9.0-portable.zip