File name:

Webyog-SQLyog-Ultimate-v12.0.9.0-x86_YasDL.com.rar

Full analysis: https://app.any.run/tasks/6db21fd1-8702-41bb-867b-eda770ac74a7
Verdict: Malicious activity
Analysis date: July 15, 2024, 09:08:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
upx
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

6E69FC8606E9EF20F23AF04780BBFCE8

SHA1:

5E027663E23F767A7472480862634445B988B333

SHA256:

98CBC93CF37B27BDD130C3C04F3250072073E5006EC57E4A2CFB7982D95F38B3

SSDEEP:

98304:EZKviXlUCeszNVIA8noHjt+UfcQ12k1L2uzCYl1ZXJLEHxFGUxhtDzh0Sb0lpvpT:EPe80yS+MVgVJLn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • QLyog 12.0.9.0 x86.exe (PID: 3160)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • QLyog 12.0.9.0 x86.exe (PID: 3160)

    • The process creates files with name similar to system file names

      • QLyog 12.0.9.0 x86.exe (PID: 3160)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • QLyog 12.0.9.0 x86.exe (PID: 3160)

    • Creates a software uninstall entry

      • QLyog 12.0.9.0 x86.exe (PID: 3160)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3384)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3384)

    • Checks supported languages

      • QLyog 12.0.9.0 x86.exe (PID: 3160)
      • SQLyog.exe (PID: 2980)

    • Manual execution by a user

      • QLyog 12.0.9.0 x86.exe (PID: 3160)
      • QLyog 12.0.9.0 x86.exe (PID: 3196)
      • notepad.exe (PID: 3572)

    • Reads the computer name

      • QLyog 12.0.9.0 x86.exe (PID: 3160)
      • SQLyog.exe (PID: 2980)

    • Create files in a temporary directory

      • QLyog 12.0.9.0 x86.exe (PID: 3160)

    • Creates files in the program directory

      • QLyog 12.0.9.0 x86.exe (PID: 3160)

    • Creates files or folders in the user directory

      • QLyog 12.0.9.0 x86.exe (PID: 3160)
      • SQLyog.exe (PID: 2980)

    • UPX packer has been detected

      • SQLyog.exe (PID: 2980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 6659811
UncompressedSize: 6687216
OperatingSystem: Win32
ModifyDate: 2015:03:13 04:25:44
PackingMethod: Normal
ArchivedFileName: QLyog 12.0.9.0 x86.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe qlyog 12.0.9.0 x86.exe no specs qlyog 12.0.9.0 x86.exe THREAT sqlyog.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2980"C:\Program Files\SQLyog\SQLyog.exe"C:\Program Files\SQLyog\SQLyog.exe
QLyog 12.0.9.0 x86.exe
User:
admin
Company:
Webyog Inc.
Integrity Level:
HIGH
Description:
SQLyog - MySQL GUI
Version:
12.0.9.0
Modules
Images
c:\program files\sqlyog\sqlyog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3160"C:\Users\admin\Desktop\QLyog 12.0.9.0 x86.exe" C:\Users\admin\Desktop\QLyog 12.0.9.0 x86.exe
explorer.exe
User:
admin
Company:
Webyog Inc.
Integrity Level:
HIGH
Description:
SQLyog 12.09 (32 bit) Setup
Exit code:
0
Version:
12.0.9.0
Modules
Images
c:\users\admin\desktop\qlyog 12.0.9.0 x86.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3196"C:\Users\admin\Desktop\QLyog 12.0.9.0 x86.exe" C:\Users\admin\Desktop\QLyog 12.0.9.0 x86.exeexplorer.exe
User:
admin
Company:
Webyog Inc.
Integrity Level:
MEDIUM
Description:
SQLyog 12.09 (32 bit) Setup
Exit code:
3221226540
Version:
12.0.9.0
Modules
Images
c:\users\admin\desktop\qlyog 12.0.9.0 x86.exe
c:\windows\system32\ntdll.dll
3384"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Webyog-SQLyog-Ultimate-v12.0.9.0-x86_YasDL.com.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3572"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Read Me.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
5 039
Read events
4 999
Write events
40
Delete events
0

Modification events

(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3384) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Webyog-SQLyog-Ultimate-v12.0.9.0-x86_YasDL.com.rar
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
16
Suspicious files
17
Text files
17
Unknown types
0

Dropped files

PID
Process
Filename
Type
3160QLyog 12.0.9.0 x86.exeC:\Users\admin\AppData\Local\Temp\nsm52EB.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
3160QLyog 12.0.9.0 x86.exeC:\Users\admin\AppData\Local\Temp\nsm52EB.tmp\version.dllexecutable
MD5:EBC5BB904CDAC1C67ADA3FA733229966
SHA256:3EBA921EF649B71F98D9378DEE8105B38D2464C9CCDE37A694E4A0CD77D22A75
3160QLyog 12.0.9.0 x86.exeC:\Users\admin\AppData\Local\Temp\nsm52EB.tmp\LangDLL.dllexecutable
MD5:9384F4007C492D4FA040924F31C00166
SHA256:60A964095AF1BE79F6A99B22212FEFE2D16F5A0AFD7E707D14394E4143E3F4F5
3160QLyog 12.0.9.0 x86.exeC:\Users\admin\AppData\Local\Temp\nsm52EB.tmp\ioSpecial.iniini
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
3160QLyog 12.0.9.0 x86.exeC:\Users\admin\AppData\Local\Temp\nsm52EB.tmp\InstallOptions.dllexecutable
MD5:325B008AEC81E5AAA57096F05D4212B5
SHA256:C9CD5C9609E70005926AE5171726A4142FFBCCCC771D307EFCD195DAFC1E6B4B
3160QLyog 12.0.9.0 x86.exeC:\Users\admin\AppData\Local\Temp\nsm52EB.tmp\modern-wizard.bmpimage
MD5:D5D5574430A3C93D11D2DF6CF49FE2FD
SHA256:73D230B269127BC0F57A7AEFE8AA0A6C6AB3ADDE21B63D7785D8359E5B397253
3160QLyog 12.0.9.0 x86.exeC:\Program Files\SQLyog\SQLyog.exeexecutable
MD5:33897A98D200F36C5D53C65C7ABD4492
SHA256:752026DC4EFED081482B1117EDDEA2A0B8CE0007F96835529A6F11E105BAEF0F
3160QLyog 12.0.9.0 x86.exeC:\Program Files\SQLyog\mysql_clear_password.dllexecutable
MD5:6A98176C712C5E5D9F071A0D2294E6D4
SHA256:50F3B632E6907C407ADB061B45FC6347607CC8C46931E3115FADDAA9E11C37EF
3160QLyog 12.0.9.0 x86.exeC:\Program Files\SQLyog\plink.exeexecutable
MD5:A0A9C26DD8F91A45650C2A508D4CEDE6
SHA256:93D129C4A610E652DC3A8A2EE0BFC87C2D971BD00A0BA2C76F58802750BE2CED
3160QLyog 12.0.9.0 x86.exeC:\Program Files\SQLyog\dialog.dllexecutable
MD5:B95DE1BF605C6D1B885AF5BE490DD1EC
SHA256:ABFCF23985792CA02CE516B29184A25F53757DEBB163457AF96F940FE0FCCA23
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1372
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6db8a07497701bb0
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
1060
svchost.exe
224.0.0.252:5355
whitelisted
1060
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.18
  • 2.16.164.114
  • 2.16.164.51
  • 2.16.164.32
  • 2.16.164.97
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Webyog-SQLyog-Ultimate-v12.0.9.0-x86_YasDL.com.rar