c1ce85233af641b7c1cf831a3d95639bf439caa72386d01ad77797e0317e1d2d

Resubmissions

24/08/2024, 21:20

240824-z61jsazfne 7

24/08/2024, 21:16

240824-z4evaszeje 7

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 21:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Pterodactyl Desktop.exe
Size

129.8MB
MD5

8d31a6ec3edf1f6bc88df0506368d63d
SHA1

b9b924b1291e822723fffc98cb05d0710b7641cd
SHA256

6c451ed78396efe6e4e1b0d997b82a7db2d3de81d6a26b51b43ec37f4088862c
SHA512

5e3b2597fb0093b0de4e3d64c7024310c2b5a05ebaa7b07fbe9f7a6283decb978183c6554c4f8352c19e967f416e4f4feb23ecd630098de7ee9a655f498cbf0c
SSDEEP

1572864:omYWQRWtJ65M7a2iu4Rywh9hJyO9N+oJOTU8f/kmgZ2sI:f4M7a2H4Ryu+dNgI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Pterodactyl Desktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Pterodactyl Desktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Pterodactyl Desktop.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Pterodactyl Desktop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Pterodactyl Desktop.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Pterodactyl Desktop.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Pterodactyl Desktop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Pterodactyl Desktop.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Pterodactyl Desktop.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1352	Pterodactyl Desktop.exe
1352	Pterodactyl Desktop.exe
4616	Pterodactyl Desktop.exe
4616	Pterodactyl Desktop.exe
4736	Pterodactyl Desktop.exe
4736	Pterodactyl Desktop.exe
4736	Pterodactyl Desktop.exe
4736	Pterodactyl Desktop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 448	224	Pterodactyl Desktop.exe	89
PID 224 wrote to memory of 1352	224	Pterodactyl Desktop.exe	90
PID 224 wrote to memory of 1352	224	Pterodactyl Desktop.exe	90
PID 224 wrote to memory of 4616	224	Pterodactyl Desktop.exe	91
PID 224 wrote to memory of 4616	224	Pterodactyl Desktop.exe	91
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93
PID 224 wrote to memory of 3444	224	Pterodactyl Desktop.exe	93

C:\Users\Admin\AppData\Local\Temp\Pterodactyl Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\Pterodactyl Desktop.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\Pterodactyl Desktop.exe
  "C:\Users\Admin\AppData\Local\Temp\Pterodactyl Desktop.exe" --type=gpu-process --field-trial-handle=1636,4214610826446591743,14301374283038472512,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
  2⤵
  PID:448
- C:\Users\Admin\AppData\Local\Temp\Pterodactyl Desktop.exe
  "C:\Users\Admin\AppData\Local\Temp\Pterodactyl Desktop.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,4214610826446591743,14301374283038472512,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1352
- C:\Users\Admin\AppData\Local\Temp\Pterodactyl Desktop.exe
  "C:\Users\Admin\AppData\Local\Temp\Pterodactyl Desktop.exe" --type=renderer --field-trial-handle=1636,4214610826446591743,14301374283038472512,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2284 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4616
- C:\Users\Admin\AppData\Local\Temp\Pterodactyl Desktop.exe
  "C:\Users\Admin\AppData\Local\Temp\Pterodactyl Desktop.exe" --type=renderer --field-trial-handle=1636,4214610826446591743,14301374283038472512,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3444
- C:\Users\Admin\AppData\Local\Temp\Pterodactyl Desktop.exe
  "C:\Users\Admin\AppData\Local\Temp\Pterodactyl Desktop.exe" --type=gpu-process --field-trial-handle=1636,4214610826446591743,14301374283038472512,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1608 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\pterodactyl-desktop\Cache\f_000005

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Roaming\pterodactyl-desktop\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
3246791076efa3b2bad3989f38394313

SHA1
59a9a5614e794107f362e181d7a7aaab70884fdd

SHA256
d27ca88de6ffc34923252e0e665005688d4b3e27a1340761b6db7e2feccbb394

SHA512
f2bb9d3da9f5913f726b0b8235899044162ec01f3871521f03d52926760f1fee8a240fb0746f174119f651ecbf4e002884425aed66ce92afe9aa762aa4fec5f2

Download Submit
C:\Users\Admin\AppData\Roaming\pterodactyl-desktop\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
517ddccc9d70bac1f2ae5ad804b4d183

SHA1
dba0aa976ba339c61335a444b47674aaa2e651e9

SHA256
5a161733a6156be7b4c328aa7ef38eda79636ffacfbb70eb5aac073d7a891bed

SHA512
ef7c9805d32578336778781ab3aea6395b56a7c993debdeb0e091e911fc5118617b7e511170f79d3f7bbe2279bc2506b5435858c4920b1bba769826ca1688859

Download Submit
C:\Users\Admin\AppData\Roaming\pterodactyl-desktop\Network Persistent State

Filesize
1KB

MD5
5630ce155fffddd7564bca5d57de6a34

SHA1
851c8f8aa3703d30ff101fcdcfea54972a8826b5

SHA256
e3b4b3c600afe1e9631c81f9a74ebe37b9a06bb2d05fd6442dd4e95752362b79

SHA512
fd77187c47efa302e1c2c7bca3c767bcb624b594a5b8c643ba816c6446daeb3b9f106f786bbd6dbf66c879eb01c12cbbeac1cb70860df1557fb373e3f7bc910d

Download Submit
C:\Users\Admin\AppData\Roaming\pterodactyl-desktop\Network Persistent State~RFe58dcaf.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\pterodactyl-desktop\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
memory/448-9-0x00007FF8A69D0000-0x00007FF8A69D1000-memory.dmp

Filesize
4KB

Download
memory/3444-66-0x00007FF8A6310000-0x00007FF8A6311000-memory.dmp

Filesize
4KB

Download
memory/3444-101-0x000001EEC8070000-0x000001EEC811C000-memory.dmp

Filesize
688KB

Download
memory/3444-117-0x000001EEC79D0000-0x000001EEC7A6E000-memory.dmp

Filesize
632KB

Download
memory/3444-118-0x000001EEC8070000-0x000001EEC811C000-memory.dmp

Filesize
688KB

Download
memory/3444-100-0x000001EEC79D0000-0x000001EEC7A6E000-memory.dmp

Filesize
632KB

Download
memory/3444-67-0x00007FF8A6C40000-0x00007FF8A6C41000-memory.dmp

Filesize
4KB

Download
memory/3444-142-0x000001EEC79D0000-0x000001EEC7A6E000-memory.dmp

Filesize
632KB

Download