analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

unlocker-setup.exe

Full analysis: https://app.any.run/tasks/31bb5c46-7b46-4bd3-a05f-ea029f302249
Verdict: Malicious activity
Analysis date: July 11, 2019, 22:28:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

81ED97F9FAD6703413F25E652A4AF9DF

SHA1:

30B788EC245AA48546AD0716B841A00ADBA0AD75

SHA256:

E5C1B479630E958E8F8E07AC42D43DCDB8D5AC639B20EBB1515FC9345F1DA801

SSDEEP:

49152:nx6Qw1/hIghVYpUpZhHXVY9cUJGQB26BmcEgbnBsj+dZ4JS6Qa:spfhVdp/Adm9Qsj0ZC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • unlocker-setup.tmp (PID: 704)
    • Application was dropped or rewritten from another process

      • IObitUnlocker.exe (PID: 3984)
    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 3124)
      • IObitUnlocker.exe (PID: 3984)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • unlocker-setup.exe (PID: 3736)
      • unlocker-setup.exe (PID: 3388)
      • unlocker-setup.tmp (PID: 704)
    • Reads Windows owner or organization settings

      • unlocker-setup.tmp (PID: 704)
    • Reads the Windows organization settings

      • unlocker-setup.tmp (PID: 704)
    • Creates files in the user directory

      • TaskHelper.exe (PID: 3956)
    • Creates COM task schedule object

      • regsvr32.exe (PID: 3124)
    • Creates files in the program directory

      • IObitUnlocker.exe (PID: 3984)
  • INFO

    • Application was dropped or rewritten from another process

      • unlocker-setup.tmp (PID: 288)
      • unlocker-setup.tmp (PID: 704)
      • TaskHelper.exe (PID: 3956)
    • Creates files in the program directory

      • unlocker-setup.tmp (PID: 704)
    • Loads dropped or rewritten executable

      • unlocker-setup.tmp (PID: 704)
      • TaskHelper.exe (PID: 3956)
    • Creates a software uninstall entry

      • unlocker-setup.tmp (PID: 704)
    • Manual execution by user

      • WINWORD.EXE (PID: 3180)
      • chrome.exe (PID: 2812)
      • WINWORD.EXE (PID: 3336)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3180)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3180)
      • WINWORD.EXE (PID: 3336)
    • Application launched itself

      • chrome.exe (PID: 2812)
    • Reads settings of System Certificates

      • chrome.exe (PID: 2516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (57.2)
.exe | Win32 Executable (generic) (18.2)
.exe | Win16/32 Executable Delphi generic (8.3)
.exe | Generic Win/DOS Executable (8)
.exe | DOS Executable Generic (8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:07:16 15:24:20+02:00
PEType: PE32
LinkerVersion: 2.25
CodeSize: 65024
InitializedDataSize: 73728
UninitializedDataSize: -
EntryPoint: 0x113bc
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.1.2.1
ProductVersionNumber: 1.1.2.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: IObit
FileDescription: IObit Unlocker
FileVersion: 1.1.2.1
LegalCopyright: Copyright © 2005-2018
ProductName: IObit Unlocker
ProductVersion: 1.1.2.1

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Jul-2015 13:24:20
Detected languages:
  • English - United States
Comments: This installation was built with Inno Setup.
CompanyName: IObit
FileDescription: IObit Unlocker
FileVersion: 1.1.2.1
LegalCopyright: Copyright © 2005-2018
ProductName: IObit Unlocker
ProductVersion: 1.1.2.1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 8
Time date stamp: 16-Jul-2015 13:24:20
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000F134
0x0000F200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.39165
.itext
0x00011000
0x00000B44
0x00000C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.74124
.data
0x00012000
0x00000C88
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.24753
.bss
0x00013000
0x000056B8
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x00019000
0x00000DD0
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.97188
.tls
0x0001A000
0x00000008
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x0001B000
0x00000018
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.204488
.rsrc
0x0001C000
0x0001000C
0x00010200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.32948

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.13965
1580
Latin 1 / Western European
English - United States
RT_MANIFEST
2
6.62094
2216
Latin 1 / Western European
English - United States
RT_ICON
3
4.61321
1384
Latin 1 / Western European
English - United States
RT_ICON
4
6.08823
9640
Latin 1 / Western European
English - United States
RT_ICON
5
6.32232
4264
Latin 1 / Western European
English - United States
RT_ICON
6
6.35527
2440
Latin 1 / Western European
English - United States
RT_ICON
7
6.11081
1128
Latin 1 / Western European
English - United States
RT_ICON
4091
2.56031
104
Latin 1 / Western European
UNKNOWN
RT_STRING
4092
3.25287
212
Latin 1 / Western European
UNKNOWN
RT_STRING
4093
3.26919
164
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

advapi32.dll
comctl32.dll
kernel32.dll
oleaut32.dll
user32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
19
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start unlocker-setup.exe unlocker-setup.tmp no specs unlocker-setup.exe unlocker-setup.tmp taskhelper.exe regsvr32.exe no specs iobitunlocker.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winword.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3388"C:\Users\admin\Downloads\unlocker-setup.exe" C:\Users\admin\Downloads\unlocker-setup.exe
explorer.exe
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
IObit Unlocker
Exit code:
0
Version:
1.1.2.1
288"C:\Users\admin\AppData\Local\Temp\is-5GQR2.tmp\unlocker-setup.tmp" /SL5="$5013E,1967081,139776,C:\Users\admin\Downloads\unlocker-setup.exe" C:\Users\admin\AppData\Local\Temp\is-5GQR2.tmp\unlocker-setup.tmpunlocker-setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3736"C:\Users\admin\Downloads\unlocker-setup.exe" /SPAWNWND=$B019C /NOTIFYWND=$5013E C:\Users\admin\Downloads\unlocker-setup.exe
unlocker-setup.tmp
User:
admin
Company:
IObit
Integrity Level:
HIGH
Description:
IObit Unlocker
Exit code:
0
Version:
1.1.2.1
704"C:\Users\admin\AppData\Local\Temp\is-ULQU0.tmp\unlocker-setup.tmp" /SL5="$40154,1967081,139776,C:\Users\admin\Downloads\unlocker-setup.exe" /SPAWNWND=$B019C /NOTIFYWND=$5013E C:\Users\admin\AppData\Local\Temp\is-ULQU0.tmp\unlocker-setup.tmp
unlocker-setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3956"C:\Users\admin\AppData\Local\Temp\is-OI9FA.tmp\TaskHelper.exe" /BookmarkC:\Users\admin\AppData\Local\Temp\is-OI9FA.tmp\TaskHelper.exe
unlocker-setup.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
3124"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\IObit\IObit Unlocker\IObitUnlockerExtension.dll"C:\Windows\system32\regsvr32.exeunlocker-setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3984"C:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exe"C:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exe
unlocker-setup.tmp
User:
admin
Company:
IObit
Integrity Level:
HIGH
Description:
IObitUnlocker
Exit code:
0
Version:
1.4.1.26
2812"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
3520"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x7015a9d0,0x7015a9e0,0x7015a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1352"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3980 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
2 101
Read events
1 657
Write events
0
Delete events
0

Modification events

No data
Executable files
12
Suspicious files
24
Text files
98
Unknown types
10

Dropped files

PID
Process
Filename
Type
704unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\is-880KF.tmp
MD5:
SHA256:
704unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\is-6ETMG.tmp
MD5:
SHA256:
704unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\is-2559T.tmp
MD5:
SHA256:
704unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\is-N82P7.tmp
MD5:
SHA256:
704unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\is-VFJD1.tmp
MD5:
SHA256:
704unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\is-R10KA.tmp
MD5:
SHA256:
704unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\Language\is-2VDE1.tmp
MD5:
SHA256:
704unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\Language\is-LPAOT.tmp
MD5:
SHA256:
704unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\Language\is-MMO2D.tmp
MD5:
SHA256:
704unlocker-setup.tmpC:\Program Files\IObit\IObit Unlocker\Language\is-BG7I9.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3984
IObitUnlocker.exe
POST
200
93.184.221.133:80
http://update.iobit.com/infofiles/iobitunlocker.upt
US
text
141 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3984
IObitUnlocker.exe
93.184.221.133:80
update.iobit.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2516
chrome.exe
172.217.22.14:443
apis.google.com
Google Inc.
US
whitelisted
2516
chrome.exe
172.217.18.10:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2516
chrome.exe
172.217.16.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2516
chrome.exe
216.58.205.227:443
www.google.com.ua
Google Inc.
US
whitelisted
2516
chrome.exe
216.58.207.67:443
fonts.gstatic.com
Google Inc.
US
whitelisted
2516
chrome.exe
172.217.22.109:443
accounts.google.com
Google Inc.
US
whitelisted
2516
chrome.exe
216.58.207.46:443
ogs.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
update.iobit.com
  • 93.184.221.133
whitelisted
clientservices.googleapis.com
  • 172.217.16.131
whitelisted
accounts.google.com
  • 172.217.22.109
shared
www.google.com.ua
  • 216.58.205.227
whitelisted
fonts.googleapis.com
  • 172.217.18.10
whitelisted
www.gstatic.com
  • 216.58.205.227
whitelisted
fonts.gstatic.com
  • 216.58.207.67
whitelisted
apis.google.com
  • 172.217.22.14
whitelisted
ogs.google.com
  • 216.58.207.46
whitelisted

Threats

No threats detected
Process
Message
TaskHelper.exe
GetChromePath: C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\
IObitUnlocker.exe
ParamStr(1):
IObitUnlocker.exe
ParamStr(1):
IObitUnlocker.exe
DriverDumpInfo Path:C:\Users\admin\Desktop\tipslost.rtf
IObitUnlocker.exe
DriverDumpInfo Path:C:\Users\admin\Desktop\blackaddress.rtf
IObitUnlocker.exe
DriverDumpInfo Path:C:\Users\admin\Desktop\tipslost.rtf