Malware Analysis Report

2025-06-16 00:36

Sample ID 241111-ap437sybkr
Target SQLRayCLI.rar
SHA256 53151501e631dda534f95bbcc84469c39ed1dc9781b6137bc7c14d174971de3a
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

53151501e631dda534f95bbcc84469c39ed1dc9781b6137bc7c14d174971de3a

Threat Level: Likely malicious

The file SQLRayCLI.rar was found to be: Likely malicious.

Malicious Activity Summary

execution

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 00:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 00:24

Reported

2024-11-11 00:26

Platform

win7-20240903-en

Max time kernel

143s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp N/A
N/A N/A \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2696 set thread context of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 set thread context of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2696 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2696 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2696 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2696 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2696 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
PID 3040 wrote to memory of 1396 N/A \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp C:\Windows\system32\conhost.exe
PID 3040 wrote to memory of 1396 N/A \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp C:\Windows\system32\conhost.exe
PID 3040 wrote to memory of 1396 N/A \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp C:\Windows\system32\conhost.exe
PID 3040 wrote to memory of 1396 N/A \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp C:\Windows\system32\conhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe

"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe" -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force

\??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp

"C:\Users\Admin\AppData\Local\Temp\sqlray_services.exe"

\??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp

"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"

C:\Windows\system32\conhost.exe

conhost.exe

Network

N/A

Files

memory/2696-1-0x0000000077311000-0x0000000077312000-memory.dmp

memory/2696-0-0x0000000140000000-0x000000014011D000-memory.dmp

memory/2696-3-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2696-4-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2696-2-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2696-5-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2696-6-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2696-8-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2696-7-0x00000000772C0000-0x0000000077469000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e9185349e265b79cd29bdf6434d12b88
SHA1 7099053f518a746249e890e8b4c708a0956ac785
SHA256 192d7dd83d04fbec45fc6e3c37d78932c3dc480e3658bdd1a821d6cf6f4ef133
SHA512 9a7441ebcc8c5873a3d4c53bafc0eea6e31f64a156189bf3686e7c7e98fae63bbdac651c3fb2c2ac5f8eae8451bf48edc6566b82bd171e81f141ba9d8a896f51

memory/2696-19-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2696-18-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2696-20-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2792-22-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2696-21-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2696-23-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2792-24-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

memory/2792-26-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2792-25-0x0000000002790000-0x0000000002798000-memory.dmp

memory/2792-27-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/3040-29-0x0000000000430000-0x00000000004D4000-memory.dmp

\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp

MD5 86d23632843c402a3a34828bb99317c9
SHA1 ee7082dcee56cb61d0cae037078efb2a4b32eaae
SHA256 eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280
SHA512 9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223

memory/3040-31-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/2696-36-0x00000000035F0000-0x0000000003C31000-memory.dmp

memory/2696-38-0x00000000035F0000-0x0000000003C31000-memory.dmp

memory/3040-46-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

memory/2696-62-0x0000000140000000-0x000000014011D000-memory.dmp

memory/2696-64-0x00000000772C0000-0x0000000077469000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp

MD5 0989e97671939f5b29ceae47a923b168
SHA1 555deb232516cbcd21f52ea4043e3a6ac2dd97f9
SHA256 ac6bb5ea2fbce08df97b58a4ff107335c22f54a9f45efe256b28e0bbd0708ca2
SHA512 22191f895fcf02437fd6cbdd4030787f7604a0640ef0359db8f42f5a6846de3d9049b05982bc1a7f731af89c74508c6453520199b6ad92204e9a622236299658

memory/2860-58-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2696-51-0x00000000035F0000-0x0000000003C31000-memory.dmp

memory/3040-43-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/3040-67-0x0000000140000000-0x0000000140641000-memory.dmp

memory/3040-66-0x0000000140000000-0x0000000140641000-memory.dmp

memory/2696-65-0x00000000035F0000-0x0000000003A02000-memory.dmp

memory/3040-68-0x0000000140000000-0x0000000140641000-memory.dmp

memory/2860-70-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

memory/3040-78-0x0000000140000000-0x0000000140641000-memory.dmp

memory/1396-76-0x0000000000060000-0x0000000000068000-memory.dmp

memory/3040-75-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/1396-81-0x0000000001C20000-0x0000000001C2E000-memory.dmp

memory/2860-82-0x0000000140000000-0x0000000140412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 00:24

Reported

2024-11-11 00:27

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp N/A
N/A N/A \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1204 set thread context of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 set thread context of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
PID 1204 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
PID 1204 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
PID 1204 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
PID 1204 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
PID 1204 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
PID 1204 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
PID 1204 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
PID 1204 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
PID 1204 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
PID 1204 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
PID 1204 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
PID 1204 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
PID 1204 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe

"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe" -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force

\??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp

"C:\Users\Admin\AppData\Local\Temp\sqlray_services.exe"

\??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp

"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/1204-0-0x0000000140000000-0x000000014011D000-memory.dmp

memory/1204-1-0x00007FFFFF0AD000-0x00007FFFFF0AE000-memory.dmp

memory/1204-3-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

memory/1204-2-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

memory/1204-4-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

memory/1204-5-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

memory/1204-7-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

memory/1204-8-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

memory/1204-6-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k52izb4f.uky.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/780-18-0x000001C9E1BA0000-0x000001C9E1BC2000-memory.dmp

memory/780-28-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

memory/780-29-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

memory/780-30-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

memory/4680-31-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

memory/780-34-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4680-38-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Temp\665.sqlraycli.tmp

MD5 8fd1d495b09695f4fb95638213559464
SHA1 8525bec9fcc14bfb53145f339b5498c7d5948563
SHA256 21e178a283f66f767540ca84c2f2fe46bfe18add60a41f49a65ac4bdaae1f7a2
SHA512 80239f149715fccd6e0d615ace999b483315ec9451664352aea5953a321435964757721e5694e4dfbb3b8aab001621112332617b99eb95994d616160838a82a4

memory/1204-47-0x0000000004880000-0x0000000004EC1000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp

MD5 86d23632843c402a3a34828bb99317c9
SHA1 ee7082dcee56cb61d0cae037078efb2a4b32eaae
SHA256 eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280
SHA512 9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223

memory/4744-62-0x0000000140000000-0x0000000140641000-memory.dmp

memory/1204-64-0x0000000140000000-0x000000014011D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp

MD5 0989e97671939f5b29ceae47a923b168
SHA1 555deb232516cbcd21f52ea4043e3a6ac2dd97f9
SHA256 ac6bb5ea2fbce08df97b58a4ff107335c22f54a9f45efe256b28e0bbd0708ca2
SHA512 22191f895fcf02437fd6cbdd4030787f7604a0640ef0359db8f42f5a6846de3d9049b05982bc1a7f731af89c74508c6453520199b6ad92204e9a622236299658

memory/1204-65-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp

memory/4744-50-0x0000000000110000-0x0000000000111000-memory.dmp

memory/4744-71-0x0000000140000000-0x0000000140641000-memory.dmp

memory/524-74-0x0000000140000000-0x0000000140412000-memory.dmp

memory/524-83-0x0000000140000000-0x0000000140412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\config.yml

MD5 b2f54e952a76f7a26a817e55ed74cbb8
SHA1 cfd0aaa620eb21e8b0e6983d1c9da71eea041131
SHA256 a35030e632ea165c675260d8b86dfaf24a460ebc514f39988b1cc073bc4f6878
SHA512 af1663e1092ef8158b07b6528f3d731a48d378434cc32c1aea8c74bd8e782aaa412abec63a462e224a40d8cc29d0db6b663c56c49c5544e8bcfbea74b3a4d535

memory/524-90-0x0000000140000000-0x0000000140412000-memory.dmp