Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

CLIPStudioPaint.exe

windows7-x64

1

CLIPStudioPaint.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/06/2024, 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CLIPStudioPaint.exe

  • Size

    32.7MB

  • MD5

    7eef51fe32ad9a7d0dc8ef15ffcc8db4

  • SHA1

    f03ada8ee0e29fcd3e9f37a0d4866041d06cd365

  • SHA256

    c9e771a81d11701e67d8135c8a33797f57e37807668c9790305a617f65caa1ad

  • SHA512

    a24848e4a010e31fa256cce4a2eeec7447ed0f2a6c3a4cff13b91e5233f3990f67ce9ba4d44831635fb63b675d7915864b1a26f6ce7aad1d9c87f88bb8c8e575

  • SSDEEP

    786432:bHmHIwjW2HkkkSmRtBwateQFllmZi1DRb5:yHIwW2HkNV6ateQ7Rb5

Score
1/10

Malware Config

Signatures

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CLIPStudioPaint.exe
    "C:\Users\Admin\AppData\Local\Temp\CLIPStudioPaint.exe"
    1⤵
      PID:2192
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3144
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3144.0.755124831\1265546443" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f45ff50c-2d01-4ef9-962f-3a0b1db895ba} 3144 "\\.\pipe\gecko-crash-server-pipe.3144" 1836 220b6111558 gpu
          3⤵
            PID:3712
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3144.1.988764349\45249109" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4beabe53-9321-4fa1-9882-1bf719252f2b} 3144 "\\.\pipe\gecko-crash-server-pipe.3144" 2404 220a9489f58 socket
            3⤵
            • Checks processor information in registry
            PID:208
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3144.2.625979235\1611617547" -childID 1 -isForBrowser -prefsHandle 3268 -prefMapHandle 3264 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6104bae7-78cd-46df-b6d0-d22c1828967b} 3144 "\\.\pipe\gecko-crash-server-pipe.3144" 3280 220b8f17258 tab
            3⤵
              PID:4964
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3144.3.288885842\1783280803" -childID 2 -isForBrowser -prefsHandle 3736 -prefMapHandle 3732 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {043d80a3-49e0-467f-8d37-fb4003ae2d3a} 3144 "\\.\pipe\gecko-crash-server-pipe.3144" 3016 220bb156358 tab
              3⤵
                PID:1856
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3144.4.740690986\266498727" -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 5248 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {965a16f2-a37e-4f6b-8883-3796c119b342} 3144 "\\.\pipe\gecko-crash-server-pipe.3144" 5264 220bd65b658 tab
                3⤵
                  PID:1396
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3144.5.365310657\281834741" -childID 4 -isForBrowser -prefsHandle 5400 -prefMapHandle 5404 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6f45372-0429-487a-99e7-ef625ffe97bd} 3144 "\\.\pipe\gecko-crash-server-pipe.3144" 5392 220bd65bf58 tab
                  3⤵
                    PID:4348
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3144.6.2062957629\415327791" -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5384 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {834c3868-90c7-4c73-ada9-ada870ff8d00} 3144 "\\.\pipe\gecko-crash-server-pipe.3144" 5600 220bd65c258 tab
                    3⤵
                      PID:2164
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3144.7.1050727865\268531164" -childID 6 -isForBrowser -prefsHandle 6060 -prefMapHandle 6052 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {daecba16-7521-418e-8ccb-a8dfd3456161} 3144 "\\.\pipe\gecko-crash-server-pipe.3144" 6068 220bf211058 tab
                      3⤵
                        PID:5576
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbed705adhd543h4d4cha504h58004bb6aef4
                    1⤵
                      PID:5408
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe748d46f8,0x7ffe748d4708,0x7ffe748d4718
                        2⤵
                          PID:4232
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,7060927155508800129,4701999659941223398,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
                          2⤵
                            PID:3744
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,7060927155508800129,4701999659941223398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4532
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,7060927155508800129,4701999659941223398,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
                            2⤵
                              PID:5216
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4352
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:5376
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
                                1⤵
                                  PID:5308
                                • C:\Windows\system32\taskmgr.exe
                                  "C:\Windows\system32\taskmgr.exe" /7
                                  1⤵
                                  • Checks SCSI registry key(s)
                                  • Checks processor information in registry
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  PID:5228
                                • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                                  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Recently.docx" /o ""
                                  1⤵
                                  • Checks processor information in registry
                                  • Enumerates system info in registry
                                  • Suspicious behavior: AddClipboardFormatListener
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5480
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:380

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    56067634f68231081c4bd5bdbfcc202f

                                    SHA1

                                    5582776da6ffc75bb0973840fc3d15598bc09eb1

                                    SHA256

                                    8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

                                    SHA512

                                    c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    fdce33bd4ef417df688270559883586e

                                    SHA1

                                    4feb575a60096750564ced1ca23a9743ed848472

                                    SHA256

                                    ab41ed40f035d5170a7bbc9dd0ace871b7be91e9075b4bb58db764550da2db95

                                    SHA512

                                    0f1a311613db6c664d495337b6a8bc60041a62c04ff5aaba0c95a61266bbf6e3ed00e429342b30aa3d47b943b0630e110bb421bbac5a96119de31ae9e410f95a

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    8KB

                                    MD5

                                    b0ef381adb185b2e5d85af3516c354ec

                                    SHA1

                                    8bedb05ca20edbbac0164d5ff4838f4cb9968673

                                    SHA256

                                    68ef7b4135b8a25613fdffaffd4d4ab45d3bad80bab96ff4882c3ea093bcd06c

                                    SHA512

                                    dc68696e6c8d0e32311428de5a308b719038a759bee46a271bb64b1c0f0eabe10b51c95d827758a31bfc9ffeb355595f7e22fd7041274a6a54c6ef7d1495784e

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kvgg58fx.default-release\activity-stream.discovery_stream.json.tmp
                                    Filesize

                                    27KB

                                    MD5

                                    b7d42951fb52dd6bb1daaa41a4765f9b

                                    SHA1

                                    2e5d5297d1d05d9f6bff2e5cf754aaf78a8e46da

                                    SHA256

                                    08ffde2e037a28e28179745b2a665182f838cad7557e59e342c1915d01e3f7a0

                                    SHA512

                                    557cc497b7f1fa507ca95873bafa73f850b27f7b2aceabbe09d7533e9f68837c47f545f15b01bbd7b20635802fd015cf0e4e39b0c31119b02227796d68dbd82b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                    Filesize

                                    202B

                                    MD5

                                    8e56ace3e1a321219fb91f6a902cbf3f

                                    SHA1

                                    a891636695dbd8ebe582bada0a821c0b0b2c5ffe

                                    SHA256

                                    8f87addb7d39c9cbbc86110d8f6eb08a97fa9402a82054f241b3901ba0afc9e8

                                    SHA512

                                    79f346ef5cfd4779430b472c80d1e2fb585cd944e9b83c55f18badd8b1cf697e84a4054bb31fe46fa08b2ad00cef2c0bcab5be4f20ef19d925172bce0c8fb8ba

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\prefs-1.js
                                    Filesize

                                    7KB

                                    MD5

                                    b29e6146f0568746b4a56df334cf1d5e

                                    SHA1

                                    276cb4ad9db5b48d0680af77a95e8cfe91a0dc87

                                    SHA256

                                    7875a8bc8426a9dda7efe8aff3c3c0d35b57541bd2fa7a81d674c5bad71dcfee

                                    SHA512

                                    15df2b445db1d45d1609d46297bf5199b4e2b4a397423e0698db0c256dbd8b5629fb0340bc890b2328213e7e938d724054d6c32bae5c26c64f380c98a36310a0

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\prefs.js
                                    Filesize

                                    6KB

                                    MD5

                                    aea40bd8566af92f36a0ad771f102b69

                                    SHA1

                                    7498dcc6a574fb6fa76ce38aad3de8d5fcf1315a

                                    SHA256

                                    6b9bee01ca9c4ef744f7170fd6d5ca6d7c82fc3d885b98bfa599f2e965daca42

                                    SHA512

                                    38918d6f71e8ae2308a4c9aebea5f841142bc0ffdacc20b37bad9eeebe538929f44a23efc358c2e9c976a3d6f2c3f49e4f04801b097e5b4b993b0843eb5aafdb

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\sessionstore-backups\recovery.jsonlz4
                                    Filesize

                                    3KB

                                    MD5

                                    7332a1934e181bf1b9e76ec8dc832b3d

                                    SHA1

                                    b12b05662b363237e3086cb7b2f92d5bc8ac6b97

                                    SHA256

                                    c8e80c05fb51229c3ad5c9752f5f9665a99fde4449b787edd7be103712ba36b4

                                    SHA512

                                    27143f2b7c3666e27c93af4e2dacefd0e3bf094fe4872f6a758928b8e86ca5466becb55c2ff26f0b3561b0bec17c4b0615df8366ffbb2167604295594a422167

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\sessionstore-backups\recovery.jsonlz4
                                    Filesize

                                    4KB

                                    MD5

                                    d10644d8ac6284bf6eff109ffe5ef776

                                    SHA1

                                    a4fdfff4516142dc0a4a1759a4f42e4d9b881855

                                    SHA256

                                    d77eff24ac118ff34f7e97bfde1ab2f27a2f8faa2bd740a6138748b59261e152

                                    SHA512

                                    f7c9b5a7558f4d35e9fe6b2847ab49e4f307e679fde775ff10cd4449e40d325f1229812fc4acfe2ea3078fc2e4ad9313406a252a1e4048cf365d46d12a055211

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\sessionstore.jsonlz4
                                    Filesize

                                    4KB

                                    MD5

                                    c5982240c010f0c6353066f776d87de5

                                    SHA1

                                    31e815de2bdb67f219c2365dfde7cfa12f3b1c6e

                                    SHA256

                                    9986c69eadb6d5338cbe4d087cb3a8c4ef5effd764bf2f1f5b5b7a742668f78c

                                    SHA512

                                    546c5eb13c135b6d6d8c73cf09e751fa3f6f35f31e04418484aeca8e40fc76da437c7e0a538743a33d42609b8dd813ff8558876a4705ba163547290dee388771

                                    Download Submit

                                  • memory/5228-288-0x0000026E43A20000-0x0000026E43A21000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5228-277-0x0000026E43A20000-0x0000026E43A21000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5228-284-0x0000026E43A20000-0x0000026E43A21000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5228-285-0x0000026E43A20000-0x0000026E43A21000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5228-289-0x0000026E43A20000-0x0000026E43A21000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5228-278-0x0000026E43A20000-0x0000026E43A21000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5228-287-0x0000026E43A20000-0x0000026E43A21000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5228-286-0x0000026E43A20000-0x0000026E43A21000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5228-283-0x0000026E43A20000-0x0000026E43A21000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5228-279-0x0000026E43A20000-0x0000026E43A21000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5480-292-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/5480-290-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/5480-294-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/5480-293-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/5480-295-0x00007FFE51F00000-0x00007FFE51F10000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/5480-296-0x00007FFE51F00000-0x00007FFE51F10000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/5480-291-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/5480-335-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/5480-336-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/5480-337-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/5480-334-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download