a6b304da706f65520019273d5f35dc9ede582febfe9e9a1d87c482eb46433256

Analysis

max time kernel
142s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed.exe
Size

1.7MB
MD5

0cc5dc97283bfeee413467481e6822b4
SHA1

e60240c37dc62b6ae1795583cab43dc10bb9dce0
SHA256

1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed
SHA512

e2794ef5d4abb23ba09ad1e9884c0463dff0ac43608f1b30053949727fafdca957ad2980bb43f655940eaf215f0ac52e37f90369aa621033b4c775875cc008b0
SSDEEP

24576:9lXvnqqFQJLYYC2TU6oH+gyFlbUscwL4ie+JwcIKIgYbK1uV9279NAl5Q9AxJ//F:zfKq0lbUscwkp+jmcVg3Uha

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.exe
4900	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp

Loads dropped DLL 5 IoCs

pid	Process
4900	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp
4900	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp
4900	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp
4900	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp
4900	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2352	1148	1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed.exe	89
PID 1148 wrote to memory of 2352	1148	1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed.exe	89
PID 1148 wrote to memory of 2352	1148	1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed.exe	89
PID 2352 wrote to memory of 4900	2352	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.exe	90
PID 2352 wrote to memory of 4900	2352	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.exe	90
PID 2352 wrote to memory of 4900	2352	[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.exe	90

C:\Users\Admin\AppData\Local\Temp\1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed.exe
"C:\Users\Admin\AppData\Local\Temp\1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.exe
  "C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\is-ABLNT.tmp\[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-ABLNT.tmp\[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp" /SL5="$5004E,722115,152064,C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:4900

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.exe

Filesize
1.2MB

MD5
c2a1bd6ace6cdb4b8de1b120e2b39e4f

SHA1
a75cfe74a7ff7574b1e3b494d9e56bd527eb0074

SHA256
e8ca4938e08021e1db3ac1bbf498ceca3c21264584360c3101f7a5664d966423

SHA512
640c9b9dc2653183c1ab8477688962307ebb73032d1b71caadbe50d530bb4e19ce98095b7f11ae70c7aafc251da68533ba0c9aa52faa7123573a1c1661a09b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gameworld.exe

Filesize
283B

MD5
90f0484dfa4b0d62268e627534de6d17

SHA1
73b9a68c79aa94b4eb53af9aeb69df7c202cd2f5

SHA256
93d72ea06c6548904e9a99f3e538bd8d9e74153ba2ad39c277bf4a043b09f712

SHA512
0f1539774ef15b399c07d4161d3da7b9a8ba0dda25287aba06ab8e48b9ff839bb5e793b77ed341efd8a81fd7a8953e5e2251e98bbd609668ea23daad71a22022

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ABLNT.tmp\[FreeTP.Org]Enshrouded-Multiplayer-Fix-Online-v1.2.tmp

Filesize
1.4MB

MD5
7300211c571951be86be6c6f8cdfc09d

SHA1
5464e16689003406513c7677b3d970f673551d18

SHA256
e77c3184d90f6e7a1276bb8389aba06296be97deb2e8a3433ca9a537538696da

SHA512
9c340edcd63c87565a9de26892d2e83647798583cc942bf608b54e86b8fd36bc2ad64421241b88f0a0682e7c006a5af712e62d3231ca5a81264d8b1a1905ebb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ENMF8.tmp\CheckBox.png

Filesize
7KB

MD5
abd301b0263b0e0cebdd71e4855ac7d3

SHA1
1e8480c3f3b47a5daa7cb1183b6a7a49998cda6e

SHA256
aff003e75bbf410ed2f7ca8728afe01ab4a517536647ad20109d00c4adf570d5

SHA512
b5abb188bd23d7fc2e3253a5639cc3eba6d21774dba55b43395cf84ddb49fe707ad54dc0a7f157e6b0804c1662d9c4cb4bef2787aafb194ea73fbebd1a63bb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ENMF8.tmp\WizardImage.jpg

Filesize
62KB

MD5
b91658597f15d7f689c86f5a2e7824bd

SHA1
00da609aa0b39140b767a3bc2644433d64edbd71

SHA256
b3cda6ab45ad5aa6a0a5f700d2c8987b3c1c1ebda63165d9bd5a566b24dcbd84

SHA512
00b287fb14b947edf4b16d52243e9a992595d8894e83d8590473103d1b54a4670b323db13c4f78234617c44f905baf517e68fcceaad313f3ea7cd44cf036daea

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ENMF8.tmp\botva2.dll

Filesize
32KB

MD5
295832fa6400cb3407cfe84b06785531

SHA1
7068910c2e0ea7f4535c770517e29d9c2d2ee77b

SHA256
13e372c4d843603096f33603915c3f25d0e0d4475001c33ce5263bfcd1760784

SHA512
50516f9761efd14641f65bd773cfdd50c4ab0de977e094ba9227796dc319d9330321c7914243fc7dc04b5716752395f8dac8ccdfdb98ba7e5f5c1172408ce57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ENMF8.tmp\button.png

Filesize
12KB

MD5
51af4120d6d22b1126cc87a5143740ef

SHA1
1cb4e91e765537a72c9628056d29fbd6a7ce515c

SHA256
c74fed62141f7e666379a0b00d5b39c86975332cf08151cbe8cab88eff2c393c

SHA512
2595be954684ca34bc9284337524a5191c72fbea46b59555a5113ed8404a1e7ab6c2aa0f5a975f832cccdd8934ff1140c679ecd940f31cc14b4c3a362a225cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ENMF8.tmp\get_hw_caps.dll

Filesize
76KB

MD5
2e35d2894df3b691dbd8e0d4f4c84efc

SHA1
d0fc14963e397d185e9f2d7dea1d07bc6308d5b9

SHA256
869079ba362cbc560d673db290248ec2aa075a74f22a82d90621f1118f8e1c4d

SHA512
29ba662ab2e77aef0547ff76213a1b6ef52be27a446923790a27cf8b69377621048387dbb9f22001b6d15837dddada84c7350614ec9622258319658822705f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ENMF8.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
memory/1148-0-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2352-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-72-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/4900-146-0x0000000009FC0000-0x0000000009FD5000-memory.dmp

Filesize
84KB

Download
memory/4900-104-0x0000000009990000-0x000000000999D000-memory.dmp

Filesize
52KB

Download
memory/4900-76-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4900-183-0x0000000009FC0000-0x0000000009FD5000-memory.dmp

Filesize
84KB

Download
memory/4900-182-0x0000000009990000-0x000000000999D000-memory.dmp

Filesize
52KB

Download
memory/4900-181-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4900-191-0x0000000009FC0000-0x0000000009FD5000-memory.dmp

Filesize
84KB

Download
memory/4900-190-0x0000000009990000-0x000000000999D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads