File name:

_SolidSQUAD_.7z

Full analysis: https://app.any.run/tasks/55333df9-c3eb-4982-939b-b9a3ef833a28
Verdict: Malicious activity
Analysis date: November 14, 2021, 15:31:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

7B584255A78FD67FEF8784D412D33021

SHA1:

229BD088D6A52A2DFE4DDDCA1C292D886492E493

SHA256:

984D72782737937706DAEF1287E0624025EFF497B6959D3F0B88306E8D5B0960

SSDEEP:

49152:5XzVla2bI3n24bHDXXazK0rTs7CdPG5Sl7K+NS+hIhs:tz7RktX8KqG2PG5BEy+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3400)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3356)

    • Checks supported languages

      • WinRAR.exe (PID: 3356)

    • Creates files in the program directory

      • WinRAR.exe (PID: 3356)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3356)

    • Creates a directory in Program Files

      • WinRAR.exe (PID: 3356)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 3356)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3356)

  • INFO

    • Manual execution by user

      • regedit.exe (PID: 3136)
      • regedit.exe (PID: 1980)
      • regedit.exe (PID: 2348)
      • regedit.exe (PID: 3008)

    • Checks supported languages

      • regedit.exe (PID: 3136)
      • regedit.exe (PID: 3008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe

Process information

PID
CMD
Path
Indicators
Parent process
1980"regedit.exe" "C:\Users\admin\Desktop\New folder\SolidSQUADLoaderEnabler.reg"C:\Windows\regedit.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
2348"regedit.exe" "C:\Users\admin\Desktop\New folder\sw2020_network_serials_licensing.reg"C:\Windows\regedit.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
3008"regedit.exe" "C:\Users\admin\Desktop\New folder\sw2020_network_serials_licensing.reg"C:\Windows\regedit.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3136"regedit.exe" "C:\Users\admin\Desktop\New folder\SolidSQUADLoaderEnabler.reg"C:\Windows\regedit.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3356"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\_SolidSQUAD_.7z"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3400"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 792
Read events
1 746
Write events
46
Delete events
0

Modification events

(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3356) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\_SolidSQUAD_.7z
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3356) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@C:\Windows\regedit.exe,-309
Value:
Registration Entries
Executable files
41
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\sw2020_network_serials_licensing.regtext
MD5:
SHA256:
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\readme.txttext
MD5:
SHA256:
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\SolidWorks_Flexnet_Server\server_remove.battext
MD5:950D94840CD6B889A8A9ED1FE93FF73B
SHA256:8B0B95E49330C8FC517061AB420E0DA66555A20A270AD88835EEA05A591AF04E
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\Program Files\SOLIDWORKS Corp\SOLIDWORKS Inspection\PDF\netapi32.dllexecutable
MD5:69559DEA95FB75855D47B07682D709B2
SHA256:06F5830CFC6284CC1FE5FD3EAEA98B35C61760EC9DDA023C2BDD235DC88F7D84
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\SolidSQUADLoaderEnabler.regtext
MD5:888BFFB7FA8A7E729D35B4ED04A12BAC
SHA256:191B83C88D577FDD8A3BEF755C423FB604C971847F9F5172DF822A7CB0318102
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\Program Files\SOLIDWORKS Corp\SOLIDWORKS Explorer\SOLIDWORKS Explorer 2019\netapi32.dllexecutable
MD5:69559DEA95FB75855D47B07682D709B2
SHA256:06F5830CFC6284CC1FE5FD3EAEA98B35C61760EC9DDA023C2BDD235DC88F7D84
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\SolidWorks_Flexnet_Server\sw_d_SSQ.lictext
MD5:6C965362C44B0C4E62D83E68803EB877
SHA256:AB3D70A082B2F14F9B1BE48CC35C3093E420D1440418C93C32D9436EAF44A65E
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\Program Files\SOLIDWORKS Corp\SOLIDWORKS PCB\netapi32.dllexecutable
MD5:
SHA256:
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\Program Files\SOLIDWORKS Corp\SOLIDWORKS Flow Simulation\binCFW\setup\i386\netapi32.dllexecutable
MD5:69559DEA95FB75855D47B07682D709B2
SHA256:06F5830CFC6284CC1FE5FD3EAEA98B35C61760EC9DDA023C2BDD235DC88F7D84
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\Program Files\SOLIDWORKS Corp\SOLIDWORKS Inspection\PDF\setup\i386\netapi32.dllexecutable
MD5:69559DEA95FB75855D47B07682D709B2
SHA256:06F5830CFC6284CC1FE5FD3EAEA98B35C61760EC9DDA023C2BDD235DC88F7D84
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_SolidSQUAD_.7z