Detects Windows regsvr32-based registration of the IOBit Unlocker Extension DLL (IObitUnlockerExtension.dll) on endpoints. The rule flags scenarios where regsvr32.exe loads or registers this DLL, a technique commonly used to load a DLL into a process (Signed Binary Proxy Execution). It relies on endpoint telemetry (process creation and related details) by querying the Endpoint.Processes data model for processes named regsvr32.exe with a loaded IObitUnlockerExtension.dll, leveraging fields such as process, process_name, parent_process_name, and command-line data. Data sources referenced include Sysmon Event ID 1, Windows Event Log 4688, and CrowdStrike ProcessRollup2 to provide complete process invocation context. The detection is associated with MITRE ATT&CK technique T1218.010. The associated Risk Belief Actor (RBA) flags the destination host with a severity and surfaces parent process information to aid triage. The rule includes false-positive guidance for legitimate maintenance using regsvr32 and provides drill-down and risk-view searches to investigate per-user and per-destination events and related risk artifacts.