Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
5Static
static
3afaa138aa1...18.exe
windows7-x64
3afaa138aa1...18.exe
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3GCSkin/Def...t1.ps1
windows7-x64
3GCSkin/Def...t1.ps1
windows10-2004-x64
3LordTheme/...n0.ps1
windows7-x64
3LordTheme/...n0.ps1
windows10-2004-x64
3TKChatCtrl.dll
windows7-x64
3TKChatCtrl.dll
windows10-2004-x64
3TKEmotionPlayer.dll
windows7-x64
3TKEmotionPlayer.dll
windows10-2004-x64
3TKGC.exe
windows7-x64
3TKGC.exe
windows10-2004-x64
3TKGMChatCtrl.dll
windows7-x64
3TKGMChatCtrl.dll
windows10-2004-x64
3TKGMChatask.exe
windows7-x64
3TKGMChatask.exe
windows10-2004-x64
3TKGameChatCtrl.dll
windows7-x64
3TKGameChatCtrl.dll
windows10-2004-x64
3TKLobby.exe
windows7-x64
3TKLobby.exe
windows10-2004-x64
3TKLord.exe
windows7-x64
1TKLord.exe
windows10-2004-x64
3TKLordDll.dll
windows7-x64
5TKLordDll.dll
windows10-2004-x64
5TKMatchInfo.dll
windows7-x64
3TKMatchInfo.dll
windows10-2004-x64
3TKReplayPlayer.exe
windows7-x64
3TKReplayPlayer.exe
windows10-2004-x64
3Analysis
-
max time kernel
138s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 14:52
Static task
static1
Behavioral task
behavioral1
Sample
afaa138aa1e5f08481643baf7d5315db_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
afaa138aa1e5f08481643baf7d5315db_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
GCSkin/Default/BtnPot1.ps1
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
GCSkin/Default/BtnPot1.ps1
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
LordTheme/Default/ChangeYellowBoyBtn0.ps1
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
LordTheme/Default/ChangeYellowBoyBtn0.ps1
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
TKChatCtrl.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
TKChatCtrl.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
TKEmotionPlayer.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral14
Sample
TKEmotionPlayer.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
TKGC.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
TKGC.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
TKGMChatCtrl.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
TKGMChatCtrl.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
TKGMChatask.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
TKGMChatask.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
TKGameChatCtrl.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral22
Sample
TKGameChatCtrl.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
TKLobby.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral24
Sample
TKLobby.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
TKLord.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
TKLord.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
TKLordDll.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral28
Sample
TKLordDll.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
TKMatchInfo.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral30
Sample
TKMatchInfo.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
TKReplayPlayer.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
TKReplayPlayer.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
TKEmotionPlayer.dll
-
Size
88KB
-
MD5
c24b34d3db0d7169498dd72d3616e553
-
SHA1
eb667d93cf738984f6352e0fa6ed303a506c6c4b
-
SHA256
4aef9608b8b9163279b4e20034baa5e2aa04d1bbbfc469de8b722359a946a74d
-
SHA512
1b3db054d62162956cde87e59b414bc05541e81336b9e34ee0146912efc90a91472d59a3e0dc449cd2b7c90c462e3c2ced78f89d932a457a48e4d473b7e3a192
-
SSDEEP
1536:tM71YW6+VoegNCxOVBn2jdQUbBZJ1NBUP2d:y71L9Voeg8x+n2RQiF1N+PI
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 62 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{24C0E520-9D35-43A6-8B6C-5D738137CEA1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\ProgID\ = "TKEmotionPlayer.EMotionPlayer.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\Insertable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\MiscStatus\1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TKEmotionPlayer.DLL regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\TypeLib\ = "{7BC231B9-3BB8-4811-9597-ED1270C7822A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer\CLSID\ = "{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\ = "EMotionPlayer Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\VersionIndependentProgID\ = "TKEmotionPlayer.EMotionPlayer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\MiscStatus\1\ = "131473" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\TypeLib\ = "{7BC231B9-3BB8-4811-9597-ED1270C7822A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer.1\ = "EMotionPlayer Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\ = "IEMotionPlayer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\ = "IEMotionPlayer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TKEmotionPlayer.dll, 6001" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{24C0E520-9D35-43A6-8B6C-5D738137CEA1}\ = "TKEmotionPlayer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\TypeLib\ = "{7BC231B9-3BB8-4811-9597-ED1270C7822A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer\ = "EMotionPlayer Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer.1\Insertable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\ = "TKEmotionPlayer 1.0 ÀàÐÍ¿â" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TKEmotionPlayer.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TKEmotionPlayer.DLL\AppID = "{24C0E520-9D35-43A6-8B6C-5D738137CEA1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer.1\CLSID\ = "{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer\CurVer\ = "TKEmotionPlayer.EMotionPlayer.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TKEmotionPlayer.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\AppID regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3076 wrote to memory of 1416 3076 regsvr32.exe 85 PID 3076 wrote to memory of 1416 3076 regsvr32.exe 85 PID 3076 wrote to memory of 1416 3076 regsvr32.exe 85
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\TKEmotionPlayer.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\TKEmotionPlayer.dll2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1416
-