7d46710c9b1a8990d2829bf6477852cf68e9c2db5d70569cd606640a2800de1a

Analysis

max time kernel
42s
max time network
107s
platform
windows7_x64
resource
win7v20201028
submitted
05-12-2020 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Soda_PDF.exe
Size

16.1MB
MD5

1ade035f7b9da35bbc4a30a04f48214a
SHA1

3b64edde9c4175b3e09d677bc66e15bc9d0740d7
SHA256

7d46710c9b1a8990d2829bf6477852cf68e9c2db5d70569cd606640a2800de1a
SHA512

ded224e349d8ed4957e301b6d313c2ab13494b4fffca1523710f2ed9795b9eeb3ef970789ccbca60dfde7c45178bd6cf39db92dff8c28048ce593529e1fb27af

Score

7^/10

spyware

Malware Config

Signatures

Loads dropped DLL 5 IoCs

Processes:

regsvr32.exeSoda_PDF.exeDllHost.exe

pid process

1712 regsvr32.exe
1836 Soda_PDF.exe
1836 Soda_PDF.exe
1836 Soda_PDF.exe
1060 DllHost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1712	regsvr32.exe
1836	Soda_PDF.exe
1836	Soda_PDF.exe
1836	Soda_PDF.exe
1060	DllHost.exe

JavaScript code in executable 6 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Soda PDF Desktop 12\Installation\Statistics.dll	js
\ProgramData\Soda PDF Desktop 12\Installation\Statistics.dll	js
\ProgramData\Soda PDF Desktop 12\Installation\Statistics.dll	js
\ProgramData\Soda PDF Desktop 12\Installation\Statistics.dll	js
\ProgramData\Soda PDF Desktop 12\Installation\Statistics.dll	js
\ProgramData\Soda PDF Desktop 12\Installation\Statistics.dll	js

Modifies registry class 590 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F0BF36A-9836-48A0-A41F-643D32BE878D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1A172F54-610F-493E-A119-84CDBCE19932}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99813506-6787-4F94-9841-D68603E24F97}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF0E6C56-94AA-4DE6-A5F4-721A0E2240DA}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61A2973C-B4EC-4493-8E05-A60A44ABBC65}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC09008B-15CE-462E-BD15-AB51324729D4}\InprocServer32\ = "C:\\ProgramData\\Soda PDF Desktop 12\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D763BB2-3FFA-43E8-8AE2-408CBAEDD237}\ = "InstallItemToolbar Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7F0BF36A-9836-48A0-A41F-643D32BE878D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F3053A6-6F18-4546-898F-8C65DDCF833D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EA254B1E-3176-4816-9B2A-C25EFD3545D7}\ = "IInstallItemModule3_1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{61D40A79-EFAE-40A0-88CB-59C15CC521CF}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFD18878-92B5-40A5-B6A7-584E4E258808}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAF1B65C-5621-42A4-A5A1-1ECEADB60979}\ = "InstallItemModule Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8E1AD8-9F39-4893-8E7D-4711474B309E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE1DC8C1-1F7E-49E2-B9B6-61F3188BE346}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19ABDFD5-C458-434A-9729-8DC017E71A9A}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{047784C5-9559-4D46-B5DC-63C7264602BE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0442FC3C-1B29-4727-ABAB-87037321DD29}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D763BB2-3FFA-43E8-8AE2-408CBAEDD237}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75A7903-6951-400D-810F-FE6C8E271380}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA254B1E-3176-4816-9B2A-C25EFD3545D7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99813506-6787-4F94-9841-D68603E24F97}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D5CB3A4-D4C6-4527-B823-304B72BF902D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B23A337-E4CA-4CB2-AB24-4EECDFD85266}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F18FEAC-F911-4A0A-B238-7BA8D4F64C7F}\AppID = "{EA99D9A6-92E7-43AD-9616-97BEA0A8CC1B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F3053A6-6F18-4546-898F-8C65DDCF833D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A623E508-4758-4101-A4E6-8E0D68D68774}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{32E5E5C6-4E9D-4DD6-99D0-CDD46B321421}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7820DB4E-4DA1-4D97-B140-73B6F7801256}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAF1B65C-5621-42A4-A5A1-1ECEADB60979}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4EAE84A1-48D8-45E4-BF9C-446333F4111D}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A623E508-4758-4101-A4E6-8E0D68D68774}\ = "IInstallItemModule"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{047784C5-9559-4D46-B5DC-63C7264602BE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC09008B-15CE-462E-BD15-AB51324729D4}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC09008B-15CE-462E-BD15-AB51324729D4}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1A172F54-610F-493E-A119-84CDBCE19932}\ = "IDownloadItemModule"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{047784C5-9559-4D46-B5DC-63C7264602BE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A172F54-610F-493E-A119-84CDBCE19932}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61D40A79-EFAE-40A0-88CB-59C15CC521CF}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2971308-C011-4AF5-86A0-4C374EA9ADBF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF0E6C56-94AA-4DE6-A5F4-721A0E2240DA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61A2973C-B4EC-4493-8E05-A60A44ABBC65}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EA254B1E-3176-4816-9B2A-C25EFD3545D7}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F18FEAC-F911-4A0A-B238-7BA8D4F64C7F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F0BF36A-9836-48A0-A41F-643D32BE878D}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC09008B-15CE-462E-BD15-AB51324729D4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A49DF67-14D2-4726-86F4-21DF18ED307B}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{32E5E5C6-4E9D-4DD6-99D0-CDD46B321421}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5D5CB3A4-D4C6-4527-B823-304B72BF902D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D36CBB6-AA91-4986-82D7-228D123C3160}\InprocServer32\ = "C:\\ProgramData\\Soda PDF Desktop 12\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B23A337-E4CA-4CB2-AB24-4EECDFD85266}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4EAE84A1-48D8-45E4-BF9C-446333F4111D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A249FCE8-6781-4667-A8C5-DCA879885BFC}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0442FC3C-1B29-4727-ABAB-87037321DD29}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F3053A6-6F18-4546-898F-8C65DDCF833D}\ = "ISaveUserDataStructLong"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4EAE84A1-48D8-45E4-BF9C-446333F4111D}\ = "IInstallItemsList"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A623E508-4758-4101-A4E6-8E0D68D68774}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFD18878-92B5-40A5-B6A7-584E4E258808}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6B79EFE-8E9E-49DA-8286-D68D4B830570}\InprocServer32\ = "C:\\ProgramData\\Soda PDF Desktop 12\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{462B192A-B4FB-4E40-A255-0905A37CBA61}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19ABDFD5-C458-434A-9729-8DC017E71A9A}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{047784C5-9559-4D46-B5DC-63C7264602BE}\ = "IDownloadItemExternalApp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0442FC3C-1B29-4727-ABAB-87037321DD29}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE1DC8C1-1F7E-49E2-B9B6-61F3188BE346}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Soda_PDF.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Soda_PDF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Soda_PDF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Soda_PDF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Soda_PDF.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Soda_PDF.exe

pid process

1836 Soda_PDF.exe
1836 Soda_PDF.exe
1836 Soda_PDF.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

msiexec.exe

description pid process

Token: SeRestorePrivilege 304 msiexec.exe
Token: SeTakeOwnershipPrivilege 304 msiexec.exe
Token: SeSecurityPrivilege 304 msiexec.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Soda_PDF.exe

pid process

1836 Soda_PDF.exe
1836 Soda_PDF.exe
1836 Soda_PDF.exe

pid	process
1836	Soda_PDF.exe
1836	Soda_PDF.exe
1836	Soda_PDF.exe

description	pid	process
Token: SeRestorePrivilege	304	msiexec.exe
Token: SeTakeOwnershipPrivilege	304	msiexec.exe
Token: SeSecurityPrivilege	304	msiexec.exe

pid	process
1836	Soda_PDF.exe
1836	Soda_PDF.exe
1836	Soda_PDF.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Soda_PDF.exe

description	pid	process	target process
PID 1836 wrote to memory of 1712	1836	Soda_PDF.exe	regsvr32.exe
PID 1836 wrote to memory of 1712	1836	Soda_PDF.exe	regsvr32.exe
PID 1836 wrote to memory of 1712	1836	Soda_PDF.exe	regsvr32.exe
PID 1836 wrote to memory of 1712	1836	Soda_PDF.exe	regsvr32.exe
PID 1836 wrote to memory of 1712	1836	Soda_PDF.exe	regsvr32.exe
PID 1836 wrote to memory of 1712	1836	Soda_PDF.exe	regsvr32.exe
PID 1836 wrote to memory of 1712	1836	Soda_PDF.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\Soda_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Soda_PDF.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\ProgramData\Soda PDF Desktop 12\Installation\Statistics.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:1712

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{EA99D9A6-92E7-43AD-9616-97BEA0A8CC1B}
1⤵
- Loads dropped DLL
PID:1060

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Soda PDF Desktop 12\Installation\Statistics.dll
MD5
f9acde23d61ec10e842826c6ee4803a3

SHA1
a7d11eb7aad25b8bc4166777cca01636d3df70f4

SHA256
a1c5e9f2f75fbd958489142086d8a05d1f93bc8fb79826af2f1283281955c6e6

SHA512
c368ff43a8c7714ac0768e9282e194a714d3d7c637e1c29fffcd8015c9802b3f590f9787b44105c205b25379cb9effd27219324a11bb427a0290ddb0e5c612cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
bee1e13a1539a6deabd27db7895ace7d

SHA1
c45f5c4ac79ec7fe4929156a300b49966bf2d6f8

SHA256
578c4de43429a35ba27e87bb253b43e788d0455430533bad428a03ebe4fd79f8

SHA512
1c73b3a4698e1fa35d80c4bc973a475e89fef15cc861c609edc80eadfb1c573340a9c2923f07d81f840d5a4e4cdcd7d6b4c4805faff3b680bc4f2aa602e3230d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_310C68564439DDC07EAF1291A9BF6ADB
MD5
80867f33dfbe534c2d6735abf00bf4db

SHA1
f9f9c38e20db1a752a3ea56872f6b8725e64f30f

SHA256
95983a3fdfd0f4295cacf477b67ab5effed76b86e18719a455e7c7224950e5b2

SHA512
fb9f987ff0cd43972d52ff420ecb16032762230f523b92363d125c426cd3aacf901864af30d8545a61dbdb4943d6a34575eb0e519a9c6b70b618834c8f2499c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
eb98bdc01c5c423d290dc0c244912517

SHA1
21d2a07ebf100d683d6a8d8dd51a93ef39734bda

SHA256
4f7979eac1be4644b6a518ea280cc6d4c44c627fae5c102f7eaca929dc7cd04b

SHA512
72297fec9b6461125be1f2884fab4dc5b2745565b0b54719185c8bff16b87ec0ac33f75c974b9c3245cda44263a389b5cd651fc8ec4963c064b3ff70ad238ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
428035d301e8d4431b1d63eedcb80d34

SHA1
b8feb6510c876107b4db223c175489e1dca549fb

SHA256
5ac0356b136d6e3757515fe1ec871c89d0f8353bbdc8e8828dd6bf994326fb22

SHA512
41ceabfa97e771798bb17d932cc1f6f9bd7a915f05bc7d19940d6a22bd17c9a95c9968a919acddc7e1ef624e39bfa72c3e8b3ed2facbfbf8896df884cfcffa60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_310C68564439DDC07EAF1291A9BF6ADB
MD5
42533f5aaf5dbdb7ad916f6b2c1e55df

SHA1
7deeaf47aae5a3beaa95fefc145373dea6b94e91

SHA256
f7c41689185156f9791bdf73a12085a7ab7075d182d7ccd8ad559ee23b912152

SHA512
eb87d0644b624964d5dcb912f5db8247a8ef8bda8610e2bd9b239fb67c7128b8ced55ee6eb6e6a8b779b00b54c16559f03cd2602e00aac989de90bcdbd53baa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\859IEHG9.txt
MD5
0a7b605026e06a597b641087126dbdbb

SHA1
0c4f858e3b9de2b4e3bb599a1d3b8d90b2aae789

SHA256
88827771a0ab4fb1772ce970a05c326af6c8121dec83104d6952c28431c4894a

SHA512
3731dec368a82c2621636e954278e4b474c2804c3eca31f13ab3161b973bfea721a013e644730f2d3c3b93b860c25b240cd176793f1878c981f8c1bee7709d4c

Download Submit
\ProgramData\Soda PDF Desktop 12\Installation\Statistics.dll
MD5
f9acde23d61ec10e842826c6ee4803a3

SHA1
a7d11eb7aad25b8bc4166777cca01636d3df70f4

SHA256
a1c5e9f2f75fbd958489142086d8a05d1f93bc8fb79826af2f1283281955c6e6

SHA512
c368ff43a8c7714ac0768e9282e194a714d3d7c637e1c29fffcd8015c9802b3f590f9787b44105c205b25379cb9effd27219324a11bb427a0290ddb0e5c612cf

Download Submit
\ProgramData\Soda PDF Desktop 12\Installation\Statistics.dll
MD5
f9acde23d61ec10e842826c6ee4803a3

SHA1
a7d11eb7aad25b8bc4166777cca01636d3df70f4

SHA256
a1c5e9f2f75fbd958489142086d8a05d1f93bc8fb79826af2f1283281955c6e6

SHA512
c368ff43a8c7714ac0768e9282e194a714d3d7c637e1c29fffcd8015c9802b3f590f9787b44105c205b25379cb9effd27219324a11bb427a0290ddb0e5c612cf

Download Submit
\ProgramData\Soda PDF Desktop 12\Installation\Statistics.dll
MD5
f9acde23d61ec10e842826c6ee4803a3

SHA1
a7d11eb7aad25b8bc4166777cca01636d3df70f4

SHA256
a1c5e9f2f75fbd958489142086d8a05d1f93bc8fb79826af2f1283281955c6e6

SHA512
c368ff43a8c7714ac0768e9282e194a714d3d7c637e1c29fffcd8015c9802b3f590f9787b44105c205b25379cb9effd27219324a11bb427a0290ddb0e5c612cf

Download Submit
\ProgramData\Soda PDF Desktop 12\Installation\Statistics.dll
MD5
f9acde23d61ec10e842826c6ee4803a3

SHA1
a7d11eb7aad25b8bc4166777cca01636d3df70f4

SHA256
a1c5e9f2f75fbd958489142086d8a05d1f93bc8fb79826af2f1283281955c6e6

SHA512
c368ff43a8c7714ac0768e9282e194a714d3d7c637e1c29fffcd8015c9802b3f590f9787b44105c205b25379cb9effd27219324a11bb427a0290ddb0e5c612cf

Download Submit
\ProgramData\Soda PDF Desktop 12\Installation\Statistics.dll
MD5
f9acde23d61ec10e842826c6ee4803a3

SHA1
a7d11eb7aad25b8bc4166777cca01636d3df70f4

SHA256
a1c5e9f2f75fbd958489142086d8a05d1f93bc8fb79826af2f1283281955c6e6

SHA512
c368ff43a8c7714ac0768e9282e194a714d3d7c637e1c29fffcd8015c9802b3f590f9787b44105c205b25379cb9effd27219324a11bb427a0290ddb0e5c612cf

Download Submit
memory/1492-5-0x000007FEF6670000-0x000007FEF68EA000-memory.dmp

Filesize
2.5MB

Download
memory/1712-2-0x0000000000000000-mapping.dmp

Download
memory/1836-22-0x0000000005EC0000-0x0000000005EE3000-memory.dmp

Filesize
140KB

Download