risepro | 498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae

Analysis

max time kernel
134s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae.exe
Size

13.1MB
MD5

0fa077a0a32ed396bb5a053ed013a7b1
SHA1

35c9fe756e3f4c5411221d5887ae6332fc6fbdf7
SHA256

498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae
SHA512

9d567933f69ac0b9cc6ee9325a3f62785d99b209077dadc4e8ed4176e39dde0014ca4f87e40084110202ab1c7aaf88a5129e82b167d40a816c641cf9687f2791
SSDEEP

196608:G16y1UicZXDmaEKCqtf6PaaLCtx+zFUlBbLrqN3aUQGXM2RKR:Grp0hUPaSfUBbLrqNq/GX8R

Score

10^/10

risepro stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Executes dropped EXE 5 IoCs

pid	Process
5056	SodaPDFDesktop14.exe
2776	SodaPDFDesktop14.exe
4036	SodaPDFDesktop14.exe
2848	SodaPDFDesktop14.exe
208	SodaPDFDesktop14.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Programmable	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\LocalServer32	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\ = "{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\ = "{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\LocalServer32\ServerExecutable = "C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe"	SodaPDFDesktop14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Elevation\Enabled = "1"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\FLAGS	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\0\win32	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\HELPDIR\ = "C:\\ProgramData\\Soda PDF Desktop 14\\Installation"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\Version = "1.0"	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Elevation	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\ = "Installer Class"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Version	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ = "IInstaller"	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\LocalServer32\ = "\"C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe\""	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\FLAGS\ = "0"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\Version = "1.0"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Version\ = "1.0"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Elevation\IconReference = "@C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe,-501"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ = "IInstaller"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\TypeLib	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\TypeLib\ = "{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\ = "GlamInstallerComLib"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\0	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\0\win32\ = "C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\HELPDIR	SodaPDFDesktop14.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5056	SodaPDFDesktop14.exe
5056	SodaPDFDesktop14.exe
5056	SodaPDFDesktop14.exe
5056	SodaPDFDesktop14.exe
5056	SodaPDFDesktop14.exe
5056	SodaPDFDesktop14.exe
2776	SodaPDFDesktop14.exe
2776	SodaPDFDesktop14.exe
2776	SodaPDFDesktop14.exe
2776	SodaPDFDesktop14.exe
2848	SodaPDFDesktop14.exe
2848	SodaPDFDesktop14.exe
2848	SodaPDFDesktop14.exe
2848	SodaPDFDesktop14.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5056	SodaPDFDesktop14.exe
5056	SodaPDFDesktop14.exe
2848	SodaPDFDesktop14.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 5056	4072	498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae.exe	87
PID 4072 wrote to memory of 5056	4072	498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae.exe	87
PID 4072 wrote to memory of 5056	4072	498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae.exe	87
PID 5056 wrote to memory of 2776	5056	SodaPDFDesktop14.exe	94
PID 5056 wrote to memory of 2776	5056	SodaPDFDesktop14.exe	94
PID 5056 wrote to memory of 2776	5056	SodaPDFDesktop14.exe	94
PID 2776 wrote to memory of 4036	2776	SodaPDFDesktop14.exe	95
PID 2776 wrote to memory of 4036	2776	SodaPDFDesktop14.exe	95
PID 2776 wrote to memory of 4036	2776	SodaPDFDesktop14.exe	95
PID 2776 wrote to memory of 2848	2776	SodaPDFDesktop14.exe	96
PID 2776 wrote to memory of 2848	2776	SodaPDFDesktop14.exe	96
PID 2776 wrote to memory of 2848	2776	SodaPDFDesktop14.exe	96
PID 2776 wrote to memory of 208	2776	SodaPDFDesktop14.exe	97
PID 2776 wrote to memory of 208	2776	SodaPDFDesktop14.exe	97
PID 2776 wrote to memory of 208	2776	SodaPDFDesktop14.exe	97

C:\Users\Admin\AppData\Local\Temp\498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae.exe
"C:\Users\Admin\AppData\Local\Temp\498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\A7117DA5-F5D9-4BF7-9BEC-778CE08104A3\SodaPDFDesktop14.exe
  "C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\A7117DA5-F5D9-4BF7-9BEC-778CE08104A3\SodaPDFDesktop14.exe" /update=start /welcome
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.400.3196\752FCD8E-073C-4D97-8615-1FBE392B9DD6\SodaPDFDesktop14.exe
    "C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.400.3196\752FCD8E-073C-4D97-8615-1FBE392B9DD6\SodaPDFDesktop14.exe" /update=finish /welcome
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe
      "C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe" /RegServer
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:4036
  - - C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe
      "C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe" /welcome /no-check-updates
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2848
  - - C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe
      "C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe" /CleanupTempFolder /ParentProcessId=2776
      4⤵
      Executes dropped EXE
      PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Soda PDF Desktop 14\Installation\updates-info.json

Filesize
2KB

MD5
92a2e537170cd23ff1f2d4f4f969f745

SHA1
8a6385558dadb56c2ac57f8129a3f9b84e9c723a

SHA256
d60706611383bf32e5d6527633e0691ce7a4862ca3f08578b336813afaa14163

SHA512
a7ef2d578449a1013b562a00023d4edf18b20e7d1b234e68448a4d72f34013dabfdeb80844bd74d30b43947309fcddd880d0b46db41c81f0d7b1045c28510e5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
812B

MD5
c930736f83fb0cd4c01787bb61d2a04b

SHA1
d27c3ff1a3aa66e33fec1ce6fa4f67f58946637c

SHA256
643eda261db1c399eb61f8b90246037604ab319118ee648d06be862be2677859

SHA512
12c640e68d15bf49924454fa147876d41500aabbbc4ab02f975b8f521c637ad2212c07263d9048f7d38bae3468865a485015f09921293a424aa9902208fa7abf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
86bb172ab3c986a54a0373153e43197f

SHA1
beea12ea71bf37ac043450e9f9c2139cbffc33a1

SHA256
1876762e64b1211645b45cee74440f9218c80035a554b3876898e8676f414d57

SHA512
5a1071e1b12ea7e5833c7dbdde94d38b395495aef099684f1ce7948bedff7a04afaf55868542bd58db8084e2e0158cea18e456c384b3b6152f1004d4cc96219b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
1KB

MD5
84592dbd82fed2f5ea2a2fb75378db3a

SHA1
b9759e2398fad2357d00364239a10ae04a9c6017

SHA256
2c431f1f6f696e625f4d57b5cbf654eba3f4f167c61851d734b419d1f6f7cc50

SHA512
81c2a7d41c983287700b99edac97d3200d634365d1aff2518e208dbecec2d794630240697850ce828f19e2b47126545fa6436db5258f88f9f774f91ac25be981

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AF360AACB1570042DEFBC833317997D0_FB2F322741B359ABDC63489C2FBB09D0

Filesize
806B

MD5
043c03344950c19eb36ef38da79416af

SHA1
b3dbbf59c63d5396f60313a048efc9c163d2d047

SHA256
a30942371f6238ba947a1096a495f6c841ca4c0ec6eb7306695c8c1952b6869a

SHA512
f41c6e9d58affcb0220882a36d88bfac77684114a6f6a7d01be8cba9cdb3e457856a0276cd291e9863c03c96d4d3848bd6d0c1f1e882e40bf43eafa0d61d9ffb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
540B

MD5
4d6769d9fb7da10f16488bcc0d36871c

SHA1
e6feb219556a61dafda78af03dc2a1389c1bc2b3

SHA256
d83fd8d17e89dc5e378f382e8d23b12091961b51ae64031abadd01aac58c3800

SHA512
a5ebe3fafab78aee41d70b39270785d7601bfce670996c21d2e3bf86168c8adfdea903b76901ef42cc5ba36c502abbba9d0288f106263fe7d07b13705de0d109

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
eded7e679f180b721dd214d0a00627f8

SHA1
ab935e8a53f4ebb1c189eaac357e4769ac02fd98

SHA256
0a0b866a005f8faa2f7b2e610f6e5ecf38ff4459970b78d86a1d91539aaa5601

SHA512
9e5e675c748968c2bd72f6126d7d1b62d04bcbf96a127fc576ea58052c5fa8d08353beda9fb621f1a162fc069069a9f7ff34051eaa45fe675cc99688471f9f06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
528B

MD5
a85588facf5f1333a55b8beb5ddc8109

SHA1
ad86d20ccd709f88a71b335e29463c5ff20212d2

SHA256
e02092ec1e95ac717a788e3053941fc6fd456eb077d7f78f187655a8504e49a3

SHA512
7af063dc91f675575f747574be9d5442c9e58e39f19a8fbfcbbe38867aa70d321b66d9191973f97ddf953ec331137d896f14b4ed675be1d2a653ba08b9bc0557

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AF360AACB1570042DEFBC833317997D0_FB2F322741B359ABDC63489C2FBB09D0

Filesize
552B

MD5
3f46a6aa1d9e3441d6f29ef67a643beb

SHA1
913e7ac62c5298976385dba46394b312dc0acb00

SHA256
46087a2128ab504280b7ca2d4181c44402e32bb0824c349808a17b3d8e77f30d

SHA512
51d848c8d95653eb40acff36845fd47de6860451e63980d670eebfef4c27ef58c744c13aaab813f11eccdf93be90945ba0c3075262d4e9270d0c6bc375d5e738

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
51ab5db47e78006038eed296aa01f8ec

SHA1
a18b6eafad9b25dd798d03263fe04c00ac57db9d

SHA256
e3d2cd081383f57cf792d4528799b8644729db1578078ca93368ae6d38e7799d

SHA512
5dc78e9ca402cdef6f881dc9eefbf05dbc484ff44dc656a44d9a48ec03c483889d51acdafadf99ddb173e79967e10b39e5b7b69b1169b57a5c20729a37f7b8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\A7117DA5-F5D9-4BF7-9BEC-778CE08104A3\SodaPDFDesktop14.exe

Filesize
13.1MB

MD5
0fa077a0a32ed396bb5a053ed013a7b1

SHA1
35c9fe756e3f4c5411221d5887ae6332fc6fbdf7

SHA256
498bc2aae60cb6ad3247f39d6c66406b42ffd16adc05301476481460fc41a1ae

SHA512
9d567933f69ac0b9cc6ee9325a3f62785d99b209077dadc4e8ed4176e39dde0014ca4f87e40084110202ab1c7aaf88a5129e82b167d40a816c641cf9687f2791

Download Submit
C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.400.3196\752FCD8E-073C-4D97-8615-1FBE392B9DD6\SodaPDFDesktop14.exe

Filesize
11.4MB

MD5
7204b04eaf140a90cd7e7693875d0c82

SHA1
9612392c5fade2012f5e92adc9165aad1095958e

SHA256
c40d46017c7abfa591751955bc86a3a3b603f551e5e0b4744906710a4dabcee0

SHA512
941ac9f14dedcca6bf5432f493052fd1139987613fa01bda9071675553daeb4809cdb0cdbdda75a957c46f6ccac73afee6c4f1b4b14903ec6c3b831e5b431bdd

Download Submit