File name:

pdf-unlock-tool.exe

Full analysis: https://app.any.run/tasks/858aacf0-558a-4d9f-8b74-8b1b1e1aeaae
Verdict: Malicious activity
Analysis date: December 15, 2023, 20:17:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

2409F3AB978D981A2E701965FAD8D713

SHA1:

2B23EB39E397CFE29782B38C4DC3D7D24D8FD489

SHA256:

F5074B8BA7E7DFA71D1AC1E8FA5AA7459D3E0456F9C99F4F73EA057A31C7B6EF

SSDEEP:

12288:nJdEQ+WZOPoRoTQc+Rhpe0xxvn8fa1m3la1d7cVVVVVVVVVVVVVVVVVV6xvMuZVy:JdEQVOQQQc+/pe0TvKa1mg1dBxvMuZVy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • pdf-unlock-tool.exe (PID: 1864)

    • Reads the Internet Settings

      • pdf-unlock-tool.exe (PID: 1864)

    • Reads settings of System Certificates

      • pdf-unlock-tool.exe (PID: 1864)

    • Checks Windows Trust Settings

      • pdf-unlock-tool.exe (PID: 1864)

    • Reads security settings of Internet Explorer

      • pdf-unlock-tool.exe (PID: 1864)

    • Reads Internet Explorer settings

      • pdf-unlock-tool.exe (PID: 1864)

  • INFO

    • Checks supported languages

      • pdf-unlock-tool.exe (PID: 1864)
      • wmpnscfg.exe (PID: 2600)
      • wmpnscfg.exe (PID: 3964)

    • Reads the computer name

      • pdf-unlock-tool.exe (PID: 1864)
      • wmpnscfg.exe (PID: 2600)
      • wmpnscfg.exe (PID: 3964)

    • Checks proxy server information

      • pdf-unlock-tool.exe (PID: 1864)

    • Reads the machine GUID from the registry

      • pdf-unlock-tool.exe (PID: 1864)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2600)
      • wmpnscfg.exe (PID: 3964)

    • Creates files or folders in the user directory

      • pdf-unlock-tool.exe (PID: 1864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (28.6)
.exe | UPX compressed Win32 Executable (28)
.exe | Win32 EXE Yoda's Crypter (27.5)
.dll | Win32 Dynamic Link Library (generic) (6.8)
.exe | Win32 Executable (generic) (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:13 12:40:32+02:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 319488
InitializedDataSize: 16384
UninitializedDataSize: 688128
EntryPoint: 0xf59c0
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.32.4.0
ProductVersionNumber: 1.32.4.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Spanish (Modern)
CharacterSet: Unicode
CompanyName: Softonic
FileDescription: Softonic Downloader
FileVersion: 1, 32, 4, 0
InternalName: Softonic Downloader
LegalCopyright: Copyright (C) 2011
OriginalFileName: SoftonicDownloader.exe
ProductName: Softonic Downloader
ProductVersion: 1, 32, 4, 0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
1864"C:\Users\admin\AppData\Local\Temp\pdf-unlock-tool.exe" C:\Users\admin\AppData\Local\Temp\pdf-unlock-tool.exe
explorer.exe
User:
admin
Company:
Softonic
Integrity Level:
MEDIUM
Description:
Softonic Downloader
Exit code:
0
Version:
1, 32, 4, 0
Modules
Images
c:\users\admin\appdata\local\temp\pdf-unlock-tool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2600"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3964"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
5 217
Read events
5 179
Write events
38
Delete events
0

Modification events

(PID) Process:(1864) pdf-unlock-tool.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1864) pdf-unlock-tool.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1864) pdf-unlock-tool.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1864) pdf-unlock-tool.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1864) pdf-unlock-tool.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1864) pdf-unlock-tool.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005A010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1864) pdf-unlock-tool.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1864) pdf-unlock-tool.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1864) pdf-unlock-tool.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
(PID) Process:(1864) pdf-unlock-tool.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionTime
Value:
DECDCBB6932FDA01
Executable files
0
Suspicious files
8
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1864pdf-unlock-tool.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_A3BDBA792161F0ADEE935E6E6327D8F9binary
MD5:0B9FEE7C5C4DD81FDC40E1371A73A3CE
SHA256:D5E6CE16B5AEA02B996B1454F15B2E1BF2BBE1451D89501362E9E675D3AC3981
1864pdf-unlock-tool.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:F763FB17089D8F9DFF2BC8EE8C4AC780
SHA256:5DF944B8CA7B5F3E1BF4EDA523E683AD1725FF5FB18C4851D7F73D3B8C251C90
1864pdf-unlock-tool.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:1729BA4F41704C9FBDFED66CC32F2B3C
SHA256:A7320ECABCEAF9D3968AA10C8FFED53A1E0783A997075EC009EB4D5664CD8A71
1864pdf-unlock-tool.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:7C9E3E1CB5E5CC63D7A12B1D96523F6D
SHA256:3133A2A883AD2D5DF23D0D2455B3BBE1AF2EF6BD4A8CA601D7C6ECA594EB3D71
1864pdf-unlock-tool.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_A3BDBA792161F0ADEE935E6E6327D8F9binary
MD5:222BF45D1AF99D9747ACAFF5383C1A7C
SHA256:6D487CEF19B694F551894220377BF2776CC7F8A96048317188CC690D9A0A6B71
1864pdf-unlock-tool.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
1864pdf-unlock-tool.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48946DEA5580C3F43660391B918DD323_6B6142C197A95FBFE3791BA39C0CAFB4binary
MD5:D3256BA8CC414A20833CED9ECBA0692F
SHA256:FBB0229BD7510397DE237A4873F566453D347A2B075E710021FCC2AC653F129A
1864pdf-unlock-tool.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48946DEA5580C3F43660391B918DD323_6B6142C197A95FBFE3791BA39C0CAFB4binary
MD5:57601F8953A2CCBB70EFA0885C550BD9
SHA256:11446416DB27276F0A05E797D6290C5A82A887603222CF09FF99988F67BD442E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
11
DNS requests
5
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1864
pdf-unlock-tool.exe
GET
301
35.227.233.104:80
http://pdf-unlock-tool.sd.en.softonic.com/universaldownloader-prefetch
US
unknown
1864
pdf-unlock-tool.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEQD9GcemSPIwhTQbyW%2FJ4FbI
unknown
binary
2.18 Kb
unknown
1864
pdf-unlock-tool.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
binary
1.42 Kb
unknown
1864
pdf-unlock-tool.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT8p55LRlX%2BveM4oDlzhIhnAZ%2Ft2wQUOgqMHHdZKeoW9pk%2Foxez3ykRkzoCEH5DKbP5yUM4od3UWW8S4iQ%3D
unknown
binary
471 b
unknown
1080
svchost.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?59b8873ffc666c10
GB
compressed
65.2 Kb
unknown
1864
pdf-unlock-tool.exe
GET
200
193.108.153.18:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?95d53e04d3f8e769
DE
compressed
4.66 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1864
pdf-unlock-tool.exe
35.227.233.104:80
pdf-unlock-tool.sd.en.softonic.com
GOOGLE
US
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
1864
pdf-unlock-tool.exe
35.227.233.104:443
pdf-unlock-tool.sd.en.softonic.com
GOOGLE
US
unknown
1864
pdf-unlock-tool.exe
193.108.153.18:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1864
pdf-unlock-tool.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
shared
1080
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
pdf-unlock-tool.sd.en.softonic.com
  • 35.227.233.104
unknown
ctldl.windowsupdate.com
  • 193.108.153.18
  • 193.108.153.12
  • 93.184.221.240
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pdf-unlock-tool.exe