risepro | 498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae

Analysis

max time kernel
92s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe
Size

13.1MB
MD5

0fa077a0a32ed396bb5a053ed013a7b1
SHA1

35c9fe756e3f4c5411221d5887ae6332fc6fbdf7
SHA256

498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae
SHA512

9d567933f69ac0b9cc6ee9325a3f62785d99b209077dadc4e8ed4176e39dde0014ca4f87e40084110202ab1c7aaf88a5129e82b167d40a816c641cf9687f2791
SSDEEP

196608:G16y1UicZXDmaEKCqtf6PaaLCtx+zFUlBbLrqN3aUQGXM2RKR:Grp0hUPaSfUBbLrqNq/GX8R

Score

10^/10

risepro stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Executes dropped EXE 5 IoCs

pid	Process
2740	SodaPDFDesktop14.exe
4460	SodaPDFDesktop14.exe
5016	SodaPDFDesktop14.exe
3904	SodaPDFDesktop14.exe
440	SodaPDFDesktop14.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\HELPDIR	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\ = "{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\ = "Installer Class"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\TypeLib\ = "{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\FLAGS\ = "0"	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Version\ = "1.0"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\ = "{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\Version = "1.0"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\TypeLib	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\0\win32	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ = "IInstaller"	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\FLAGS	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\HELPDIR\ = "C:\\ProgramData\\Soda PDF Desktop 14\\Installation"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ = "IInstaller"	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Elevation	SodaPDFDesktop14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Elevation\Enabled = "1"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Version	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\0	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\LocalServer32	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\LocalServer32\ = "\"C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe\""	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\ = "GlamInstallerComLib"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\0\win32\ = "C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\Version = "1.0"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\LocalServer32\ServerExecutable = "C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Elevation\IconReference = "@C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe,-501"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Programmable	SodaPDFDesktop14.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2740	SodaPDFDesktop14.exe
2740	SodaPDFDesktop14.exe
2740	SodaPDFDesktop14.exe
2740	SodaPDFDesktop14.exe
2740	SodaPDFDesktop14.exe
2740	SodaPDFDesktop14.exe
4460	SodaPDFDesktop14.exe
4460	SodaPDFDesktop14.exe
4460	SodaPDFDesktop14.exe
4460	SodaPDFDesktop14.exe
3904	SodaPDFDesktop14.exe
3904	SodaPDFDesktop14.exe
3904	SodaPDFDesktop14.exe
3904	SodaPDFDesktop14.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2740	SodaPDFDesktop14.exe
2740	SodaPDFDesktop14.exe
3904	SodaPDFDesktop14.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 2740	1472	2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe	82
PID 1472 wrote to memory of 2740	1472	2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe	82
PID 1472 wrote to memory of 2740	1472	2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe	82
PID 2740 wrote to memory of 4460	2740	SodaPDFDesktop14.exe	89
PID 2740 wrote to memory of 4460	2740	SodaPDFDesktop14.exe	89
PID 2740 wrote to memory of 4460	2740	SodaPDFDesktop14.exe	89
PID 4460 wrote to memory of 5016	4460	SodaPDFDesktop14.exe	90
PID 4460 wrote to memory of 5016	4460	SodaPDFDesktop14.exe	90
PID 4460 wrote to memory of 5016	4460	SodaPDFDesktop14.exe	90
PID 4460 wrote to memory of 3904	4460	SodaPDFDesktop14.exe	91
PID 4460 wrote to memory of 3904	4460	SodaPDFDesktop14.exe	91
PID 4460 wrote to memory of 3904	4460	SodaPDFDesktop14.exe	91
PID 4460 wrote to memory of 440	4460	SodaPDFDesktop14.exe	92
PID 4460 wrote to memory of 440	4460	SodaPDFDesktop14.exe	92
PID 4460 wrote to memory of 440	4460	SodaPDFDesktop14.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_0fa077a0a32ed396bb5a053ed013a7b1_avoslocker_magniber_metamorfo.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\E299074F-2A0F-4166-9B26-4B4B91FB3AB0\SodaPDFDesktop14.exe
  "C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\E299074F-2A0F-4166-9B26-4B4B91FB3AB0\SodaPDFDesktop14.exe" /update=start /welcome
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.400.3196\B6A39C7D-BCD9-44F6-9C6C-4C4E8B6290C8\SodaPDFDesktop14.exe
    "C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.400.3196\B6A39C7D-BCD9-44F6-9C6C-4C4E8B6290C8\SodaPDFDesktop14.exe" /update=finish /welcome
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe
      "C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe" /RegServer
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:5016
  - - C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe
      "C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe" /welcome /no-check-updates
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3904
  - - C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe
      "C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe" /CleanupTempFolder /ParentProcessId=4460
      4⤵
      Executes dropped EXE
      PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Soda PDF Desktop 14\Installation\updates-info.json

Filesize
2KB

MD5
c4b5a218a102e8b0161d38808890be4a

SHA1
de82199bae48c5ea9ceb4a6fac6091a021048370

SHA256
c630914cd475444c03d106ffe37353707bd1fe00b07e8be4f354a597031218af

SHA512
1bb951c65d9b32f12a1004658f09209e26e13734f7be6e8a06ce8d09079fd838850e0e65d83ad746a0785dc36fcd7dd449ddb796e1fc9679404dea7e8d2eb1f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
812B

MD5
c930736f83fb0cd4c01787bb61d2a04b

SHA1
d27c3ff1a3aa66e33fec1ce6fa4f67f58946637c

SHA256
643eda261db1c399eb61f8b90246037604ab319118ee648d06be862be2677859

SHA512
12c640e68d15bf49924454fa147876d41500aabbbc4ab02f975b8f521c637ad2212c07263d9048f7d38bae3468865a485015f09921293a424aa9902208fa7abf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
86bb172ab3c986a54a0373153e43197f

SHA1
beea12ea71bf37ac043450e9f9c2139cbffc33a1

SHA256
1876762e64b1211645b45cee74440f9218c80035a554b3876898e8676f414d57

SHA512
5a1071e1b12ea7e5833c7dbdde94d38b395495aef099684f1ce7948bedff7a04afaf55868542bd58db8084e2e0158cea18e456c384b3b6152f1004d4cc96219b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
1KB

MD5
84592dbd82fed2f5ea2a2fb75378db3a

SHA1
b9759e2398fad2357d00364239a10ae04a9c6017

SHA256
2c431f1f6f696e625f4d57b5cbf654eba3f4f167c61851d734b419d1f6f7cc50

SHA512
81c2a7d41c983287700b99edac97d3200d634365d1aff2518e208dbecec2d794630240697850ce828f19e2b47126545fa6436db5258f88f9f774f91ac25be981

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AF360AACB1570042DEFBC833317997D0_FB2F322741B359ABDC63489C2FBB09D0

Filesize
806B

MD5
043c03344950c19eb36ef38da79416af

SHA1
b3dbbf59c63d5396f60313a048efc9c163d2d047

SHA256
a30942371f6238ba947a1096a495f6c841ca4c0ec6eb7306695c8c1952b6869a

SHA512
f41c6e9d58affcb0220882a36d88bfac77684114a6f6a7d01be8cba9cdb3e457856a0276cd291e9863c03c96d4d3848bd6d0c1f1e882e40bf43eafa0d61d9ffb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
540B

MD5
00a0f3fae726e66bb3c93ea4ac7cb126

SHA1
21835797bc2d19e04dd7acf81514170d507c7fab

SHA256
92372fc8a9b0fc13e0c7c1c5841504360851cb143af045be43ab04515d3aef72

SHA512
61b0238e98c0bc40ba969821218de1a16ec3191780083b700490176f62ad189858018ce3b12192c55c5a81b540c0d2a8eec1ad87fab0a8077c8edbb73cb9603a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d3ac159070558f60ff514ea261abcb2a

SHA1
30089a2fb7cf4a61097895fdc6777484f907a968

SHA256
d283dfe9ce72d5220f8392b81d3f5bbff83db884b82a59c65cfedef199595b42

SHA512
7d7009abfbf228a1a760f3a65243c08b569e5c6742a8e6c0b4b3434f157e7cecdefbab66b880b621c84d6059596b0d56a62c0fea3a79b92e01d75ddfa29e2c10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
528B

MD5
2a75bc6b02b1762d98adc22bfcebfc71

SHA1
d1528b9e448c2b3aaaa2df27efd3e0f3c3de1347

SHA256
e88d69555447db9646fc5066ce7fb816c1df4a8fdaa70941ec46909d752901ca

SHA512
dabddf911e63cc9a0b9d762efc9b4e64c662c6afd55baa4cb9108449335db1692d8a7da4c020167ebee5d39911f5e80a6f8ed697be457317bef66d0213bf9ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AF360AACB1570042DEFBC833317997D0_FB2F322741B359ABDC63489C2FBB09D0

Filesize
552B

MD5
7758e8341550a6a4720787c292dca3f5

SHA1
58ef8608793007fc72f9a5b03112933a7027d6fa

SHA256
26a6dec71963ceff7bfefaa78ea8c401f3364ffb476d0240a7b98a0bb2baea7c

SHA512
791dbd97817e7111a3f15dd2180084b8b3c0303a3d6f415c31db10643a37287d285c1e404d29ce10937529ec985619f9e9a59900464a1fea554305aac6f7b412

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
31b0770b67d28f0efa2a8d2fb7549cb6

SHA1
a2edd2f6ea3f9b28d8e6383c87ff98798f696016

SHA256
82ddf566c4f14fa641f21133ce8e6c5d8e87decbf279120b0b29be446943203e

SHA512
5d227781b14b6b8e7cf8f6adbc5d4b3efd5ff7afd36d68a4981f604e20fc31e1377154b21558e9c78a15ab22b91e115aa8fdecb3aba93d730ba4441772ba52e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\E299074F-2A0F-4166-9B26-4B4B91FB3AB0\SodaPDFDesktop14.exe

Filesize
13.1MB

MD5
0fa077a0a32ed396bb5a053ed013a7b1

SHA1
35c9fe756e3f4c5411221d5887ae6332fc6fbdf7

SHA256
498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae

SHA512
9d567933f69ac0b9cc6ee9325a3f62785d99b209077dadc4e8ed4176e39dde0014ca4f87e40084110202ab1c7aaf88a5129e82b167d40a816c641cf9687f2791

Download Submit
C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.400.3196\B6A39C7D-BCD9-44F6-9C6C-4C4E8B6290C8\SodaPDFDesktop14.exe

Filesize
11.4MB

MD5
13867ab60e71359f49c3683f20306fc9

SHA1
2452a479490a8c677e399c6b7aca83170bf89c85

SHA256
d9b5042d60f5f9793fe6530587c2ea72e2c11a792f985472c96e1f6ba95dd1c5

SHA512
8e3f56a63c1348b350efb144964081cd5033f72e55681405b1b3acfe4e782779b3b0e99733b925393358d2a56f45a5eb268731b0991b8209635cee847ef0fdcf

Download Submit