ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 10 August 2012, 20:22:21
Processing time: 13 min 58 sec
Submitted sample:

File MD5: 0x94DB4A71308699B39467905DA91120CF
File SHA-1: 0xE6DA0436C5B415AA225499147B03482F685DB625
Filesize: 2,486,831 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%CommonDesktopDir%\SysTools PDF Unlocker.lnk	788 bytes	MD5: 0x5CEDC19E32F54917BC92877533CD6491 SHA-1: 0xD38B7C6C63627B67390276DA63998E3415AAF5CC
2	%CommonPrograms%\SysTools PDF Unlocker\SysTools PDF Unlocker.lnk	800 bytes	MD5: 0xACDFA1618B82B90DE8537B88C6388284 SHA-1: 0x31E6081E932CDB4E21B73F0741BB7BCFE11B5750
3	%CommonPrograms%\SysTools PDF Unlocker\Uninstall SysTools PDF Unlocker.lnk	785 bytes	MD5: 0x691F078DD90ECEB5DCD36EF95EA63C22 SHA-1: 0x0DEF93CFEAE75014BF2EE04B2EC5622B07A0A80D
4	%ProgramFiles%\SysTools PDF Unlocker\blank.gif	43 bytes	MD5: 0x325472601571F31E1BF00674C368D335 SHA-1: 0x2DAEAA8B5F19F0BC209D976C02BD6ACB51B00B0A
5	%ProgramFiles%\SysTools PDF Unlocker\cross.ico	297,092 bytes	MD5: 0xEAE23C3A369AD1C7E348F340D31F1B29 SHA-1: 0xBA40EC6AC96CE0D2F6EBBFE6E156EEC4B551B5FE
6	%ProgramFiles%\SysTools PDF Unlocker\DemoDoc.pdf	50,932 bytes	MD5: 0x4199EFAACFE7C24A26FBDA4BBC30F198 SHA-1: 0x84F4EDC4E3A8D5E5B110811B4AA2082C62042696
7	%ProgramFiles%\SysTools PDF Unlocker\ErrorWarning.log	205 bytes	MD5: 0xCFDDFE32EB637D9F4CAB83BC3188D7C1 SHA-1: 0x61686D2D4E195595F395E650EA9F08357ECC48B5
8	%ProgramFiles%\SysTools PDF Unlocker\EULA.pdf	213,805 bytes	MD5: 0xE5A7AD19270D958F0B0D9A5D51DF7B48 SHA-1: 0x62A4ACE554CF619A9C8E13046A0CC10B98DD4221
9	%ProgramFiles%\SysTools PDF Unlocker\Help.chm	453,374 bytes	MD5: 0x380E8A3722E551CD4703F784CAA94B89 SHA-1: 0xC225D39CF931AF59555684361C541652C8C48352
10	%ProgramFiles%\SysTools PDF Unlocker\isxdl.dll	59,392 bytes	MD5: 0x792620390AAE5305220283F2CE33CA68 SHA-1: 0xD9FEE4CB3E2FA5E7D88B45662FD58B30AA9979F0
11	%ProgramFiles%\SysTools PDF Unlocker\log4net.dll	258,048 bytes	MD5: 0xF0D06BBEB3B0B8D07BB9BB5A20E6A88E SHA-1: 0x395027F213CF8727D8C7D2F2F0215432849F174B
12	%ProgramFiles%\SysTools PDF Unlocker\PDFUnlocker.exe	5,225,984 bytes	MD5: 0x2335CC0598EDCDD5C5CE300B37BAD40C SHA-1: 0xDB7FC39B1DA721BE3C433E606CD43CF558142DDF
13	%ProgramFiles%\SysTools PDF Unlocker\PDFUnlocker.exe.config	2,144 bytes	MD5: 0x7DB972EEDBE878E974D93354FC474D71 SHA-1: 0x6502BB084BC1DCFBB88B40DC1E171BD70E4A4C8B
14	%ProgramFiles%\SysTools PDF Unlocker\ReleaseNotes.pdf	99,345 bytes	MD5: 0x7DBA196A22F3F687E0F8F211D107E146 SHA-1: 0xF07DA1EF86070330602FF3507FC11B1950A38B9D
15	%ProgramFiles%\SysTools PDF Unlocker\TabStrip.dll	37,376 bytes	MD5: 0xBECEE3938DEA10A0EE8BC3D25A8A9D8A SHA-1: 0x10C9CE6C44FCC1E2924003E3B7441AC573F809CB
16	%ProgramFiles%\SysTools PDF Unlocker\tick.gif	154 bytes	MD5: 0xC037DF4DEDD61B4B5D77517D05DE2020 SHA-1: 0xCB7E0CF0C969A85AB3A569C6AF1B66D7A9C1D02E
17	%ProgramFiles%\SysTools PDF Unlocker\unins000.dat	5,606 bytes	MD5: 0x434D342BFD23ABD0BB6AC1CCC51D1175 SHA-1: 0xA32374EC6D55E09561EE2C761BC0E37E357BF346
18	%ProgramFiles%\SysTools PDF Unlocker\unins000.exe	715,038 bytes	MD5: 0xBF883DD920CF3E4DF0DC4857BF5FD446 SHA-1: 0x966A89B7A227AB3915D1F5BA0B5207C399F25569
19	[file and pathname of the sample #1]	2,486,831 bytes	MD5: 0x94DB4A71308699B39467905DA91120CF SHA-1: 0xE6DA0436C5B415AA225499147B03482F685DB625

Notes:

%CommonDesktopDir% is a variable that refers to the file system directory that contains files and folders that appear on the desktop for all users. A typical path is C:\Documents and Settings\All Users\Desktop (Windows NT/2000/XP).
%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%CommonPrograms%\SysTools PDF Unlocker
%ProgramFiles%\SysTools PDF Unlocker

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	81,920 bytes
[filename of the sample #1 without extension].tmp	%Temp%\is-M9J68.tmp\[filename of the sample #1 without extension].tmp	770,048 bytes

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Registry Modifications

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SysTools PDF Unlocker_is1

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SysTools PDF Unlocker_is1]

Inno Setup: Setup Version = "5.4.3 (a)"
Inno Setup: App Path = "%ProgramFiles%\SysTools PDF Unlocker"
InstallLocation = "%ProgramFiles%\SysTools PDF Unlocker\"
Inno Setup: Icon Group = "SysTools PDF Unlocker"
Inno Setup: User = "%UserName%"
Inno Setup: Selected Tasks = "desktopicon"
Inno Setup: Deselected Tasks = ""
Inno Setup: Language = "english"
DisplayName = "SysTools PDF Unlocker - v3.1"
UninstallString = ""%ProgramFiles%\SysTools PDF Unlocker\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\SysTools PDF Unlocker\unins000.exe" /SILENT"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20120810"

Other details

Analysis of the file resources indicate the following possible country of origin:

Netherlands

To mark the presence in the system, the following Mutex object was created:

_!SHMSFTHISTORY!_

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.systoolsgroup.com	80	(null)	(null)

The following GET requests were made:

pupdates.html
index.jpg

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.