MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Safe

Unsigned game-mod DLC unlocker tool; zero malicious engine detections across 68 engines; 504 submitters; process injection consistent with game patching, not malware.

Trust score88High trust
MT AI confidence · 82%
EA DLC Unlocker v2 155-0.zip
245.1 KB
5410236d86e3f129647710fb6f7c
Antivirus engines
0 of 75 flagged
Code signing
Unsigned
Age
First seen 23 days ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

82%Confidence
High
Reasoning

The file exhibits a clean engine profile: zero malicious detections, 17 tier-1 engines silent, and no tier-1 family consensus. Prevalence data shows 504 unique submitters and 567 submissions since mid-May, indicating widespread known distribution rather than a rare suspicious sample. Sandbox behaviour reveals process injection (T1055) and evasion (T1497) techniques, which triggered a heuristic rule; however, these are consistent with game-mod tools that patch running game processes to unlock DLC. The dropped files and process logs reference game-specific .ini files (Cities Skylines, Dead Space 2023, F1 22/23) and setup scripts, not malware infrastructure. No malicious children, no contacted malicious hosts, and no external YARA/CIRCL hits further support a benign classification.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 0/68 malicious; tier1Malicious=0; tier1ReportedClean=17 (Kaspersky, BitDefender, ESET-NOD32, Avira, Fortinet, F-Secure, Emsisoft, Ikarus, GData, DrWeb, Avast, AVG all silent)

  2. prevalence.classification=common_new; 504 unique submitters, 567 submissions since 2026-05-17 — widespread known distribution

  3. triggeredHeuristics: MalwareTips.Synth.ProcessInjection fired on rundll32.exe + version.dll injection — consistent with game-mod DLL patching, not malware C2 beacon

  4. droppedChildren: 10 inspected, 0 malicious, all unknown verdicts; no malicious sandbox verdict; no contacted malicious hosts

  5. filename + process logs (setup.bat, config.ini, g_Cities Skylines.ini, g_Dead Space 2023.ini) indicate game-mod/DLC-unlocker tool, not trojan

Points in its favour
  • Zero malicious detections across 68 engines; 17 tier-1 vendors silent
  • High prevalence: 504 unique submitters, 567 submissions — known widespread distribution
  • Dropped files and process logs reference legitimate game titles and config files
  • No malicious children, no contacted malicious hosts, no external YARA/CIRCL hits
  • Behaviour consistent with game-patching tools, not malware C2 or exfiltration
Points against
  • Process injection (T1055) — DLL loaded into rundll32.exe for game patching
  • Sandbox evasion (T1497) — tool detects and avoids analysis environments
  • Unsigned binary — no publisher verification available
  • Game-mod tool — may violate game publisher terms of service
What to do

This file is a known game-mod DLC-unlocker tool with no malicious engine consensus and high legitimate prevalence. It is safe to use if obtained from a trusted source and if you accept the risk of violating game publisher terms of service. Monitor for any unexpected system changes or performance issues.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
10

Adversary techniques mapped to the MITRE ATT&CK framework.

T1033T1055T1082T1083T1202T1497T1518.001T1562.001T1564.001T1574
Spawned processes
12
$(unnamed)
"C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\EA DLC Unlocker v2/ea_app/version.dll",#1
$(unnamed)
"C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\EA DLC Unlocker v2/origin/version.dll",#1
$(unnamed)
"C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\<USER>\AppData\Local\Temp^" && start /wait ^"^" ^"C:\Users\<USER>\AppData\Local\Temp\EA DLC Unlocker v2/setup.bat^"
$(unnamed)
C:\Windows\system32\cmd.exe /K "C:\Users\<USER>\AppData\Local\Temp\EA DLC Unlocker v2/setup.bat
$(unnamed)
C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWow64\unarchiver.exe" "C:\Users\user\Desktop\RksIGn6O-EA DLC Unlocker v2 155-0.zip"
$(unnamed)
C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\qic0wtdn.43i" "C:\Users\user\Desktop\RksIGn6O-EA DLC Unlocker v2 155-0.zip"
$(unnamed)
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
$(unnamed)
/usr/bin/exo-open exo-open "/tmp/RksIGn6O-EA DLC Unlocker v2 155-0.zip"
+4 more processes captured.
Filesystem & mutexes
15
Files written15
  • C:\Users\user\AppData\Local\Temp\qic0wtdn.43i
  • C:\Users\user\AppData\Local\Temp\qic0wtdn.43i\EA DLC Unlocker v2
  • C:\Users\user\AppData\Local\Temp\qic0wtdn.43i\EA DLC Unlocker v2\config.ini
  • C:\Users\user\AppData\Local\Temp\qic0wtdn.43i\EA DLC Unlocker v2\ea_app
  • C:\Users\user\AppData\Local\Temp\qic0wtdn.43i\EA DLC Unlocker v2\ea_app\version.dll
+10 more
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • e305b8a3399785fb4393cdd990Never scanned
    never seen before
  • cf784476719a93e3fb840d2b83Never scanned
    never seen before
  • 87df6f4f1c246e0e5d43215052Never scanned
    never seen before
  • 070ac609263921f4c9102c0b89Never scanned
    never seen before
  • cfbe14fc02f08a2b941d8945faNever scanned
    never seen before
  • 06c8f383e8383c4b1736e84c02Never scanned
    never seen before
  • b6b4797b1ce41e14b7c3f1b1f6Never scanned
    never seen before
  • f66f3e8899c43a8433af3e60d6Never scanned
    never seen before
  • a03bcf45efe6a821ad11ee5809Never scanned
    never seen before
  • a92107a9a24d5a80dc95c96cd4Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

1 synthesis
MITRE ATT&CK profile
Defense evasion× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjection
    T1055
    high

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    "C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\EA DLC Unlocker v2/ea_app/version.dll",#1
Antivirus engine breakdown

0 detections across 75 engines

0 malicious0 suspicious75 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust20 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 75 engines report this file as clean.
Hash 5410236d86e3… cross-referenced against 75 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Lots of people are uploading this but it's recent — typical of newly-released legitimate software. Low prior for malware.

Common & new
Unique uploaders
504
Hundreds of people have uploaded this — common.
Total submissions
567
Includes repeat uploads by the same source.
First seen by VT
23d ago
May 17, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
5/17/2026, 5:42:33 PM
First seen (MalwareBazaar)
Last analysis (VT)
6/9/2026, 5:15:00 PM
Scanned here
6/9/2026, 7:49:12 PM
File name
EA DLC Unlocker v2 155-0.zip
Size
245.1 KB
MIME type
(unknown)
Detected type
ZIP
SHA-256
5410236d86e3f1296466ae18cd326a987bb3ff43bbd94d3fee26e57710fb6f7c
MD5
f4d43fbf319b4f3e90c183c57a113efa
SHA-1
9559498f491097acbeffabb9258afcd48fb2ecb1
First seen (VT)
5/17/2026, 5:42:33 PM
Last analysis (VT)
6/9/2026, 5:15:00 PM
First scan (MalwareTips)
6/9/2026, 7:49:12 PM
Last scan (MalwareTips)
6/9/2026, 7:49:12 PM
Behavior tags
detect-debug-environmentziplong-sleepssets-process-namecontains-pe
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.