File name:

SodaPDFDesktop14.exe

Full analysis: https://app.any.run/tasks/63c0eb28-e045-4b3c-a5a1-0d447abce582
Verdict: Malicious activity
Threats:

Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.

Malware Trends Tracker     >>>
Analysis date: April 16, 2024, 11:16:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
malware
spyware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BE299DA4EF9D5C07533849C1058F1915

SHA1:

80380756A4FA2E89EB077C4CD4ED5395244D1125

SHA256:

3899B6B47C358F12FAAF5A88C5EFB9A7D77613D65B1D395A2161EA92774A1FF8

SSDEEP:

98304:UbOi5cc2TWJu3EKMNEZqB/UNSOfuiI12GJZAV8L+Xvrk3JNv8S5CGrLv8kFfguWj:g0NnBr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • SodaPDFDesktop14.exe (PID: 3152)

  • SUSPICIOUS

    • Reads the Internet Settings

      • SodaPDFDesktop14.exe (PID: 3152)

    • Reads security settings of Internet Explorer

      • SodaPDFDesktop14.exe (PID: 3152)

    • Reads settings of System Certificates

      • SodaPDFDesktop14.exe (PID: 3152)

    • Checks Windows Trust Settings

      • SodaPDFDesktop14.exe (PID: 3152)

    • Executable content was dropped or overwritten

      • SodaPDFDesktop14.exe (PID: 3152)

    • Adds/modifies Windows certificates

      • SodaPDFDesktop14.exe (PID: 3152)

    • Starts itself from another location

      • SodaPDFDesktop14.exe (PID: 3152)

  • INFO

    • Reads the computer name

      • SodaPDFDesktop14.exe (PID: 3152)
      • SodaPDFDesktop14.exe (PID: 2868)

    • Checks supported languages

      • SodaPDFDesktop14.exe (PID: 3152)
      • SodaPDFDesktop14.exe (PID: 2868)

    • Creates files in the program directory

      • SodaPDFDesktop14.exe (PID: 3152)

    • Checks proxy server information

      • SodaPDFDesktop14.exe (PID: 3152)

    • Reads the machine GUID from the registry

      • SodaPDFDesktop14.exe (PID: 3152)

    • Reads the software policy settings

      • SodaPDFDesktop14.exe (PID: 3152)

    • Creates files or folders in the user directory

      • SodaPDFDesktop14.exe (PID: 3152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:14 09:04:25+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.37
CodeSize: 7525888
InitializedDataSize: 4367360
UninitializedDataSize: -
EntryPoint: 0x60552f
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 14.0.407.3242
ProductVersionNumber: 14.0.407.3242
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Avanquest Software
FileDescription: Soda PDF Desktop 14 Installer
FileVersion: 14.0.407.3242
InternalName: SodaPDFDesktop14.exe
LegalCopyright: © 2010-2023 Avanquest Software. All rights reserved.
OriginalFileName: SodaPDFDesktop14.exe
ProductName: Soda PDF Desktop 14 Installer
ProductVersion: 14.0.407.3242
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sodapdfdesktop14.exe sodapdfdesktop14.exe no specs sodapdfdesktop14.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
784"C:\Users\admin\AppData\Local\Temp\SodaPDFDesktop14.exe" C:\Users\admin\AppData\Local\Temp\SodaPDFDesktop14.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\sodapdfdesktop14.exe
c:\windows\system32\ntdll.dll
2868"C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe" /RegServerC:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exeSodaPDFDesktop14.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\soda pdf desktop 14\installation\sodapdfdesktop14.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3152"C:\Users\admin\AppData\Local\Temp\SodaPDFDesktop14.exe" C:\Users\admin\AppData\Local\Temp\SodaPDFDesktop14.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\sodapdfdesktop14.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
Total events
10 049
Read events
9 987
Write events
51
Delete events
11

Modification events

(PID) Process:(3152) SodaPDFDesktop14.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3152) SodaPDFDesktop14.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3152) SodaPDFDesktop14.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3152) SodaPDFDesktop14.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3152) SodaPDFDesktop14.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3152) SodaPDFDesktop14.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3152) SodaPDFDesktop14.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3152) SodaPDFDesktop14.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(3152) SodaPDFDesktop14.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3152) SodaPDFDesktop14.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
1
Suspicious files
3
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3152SodaPDFDesktop14.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
3152SodaPDFDesktop14.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:
SHA256:
3152SodaPDFDesktop14.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:
SHA256:
3152SodaPDFDesktop14.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464der
MD5:
SHA256:
3152SodaPDFDesktop14.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464binary
MD5:
SHA256:
3152SodaPDFDesktop14.exeC:\ProgramData\Soda PDF Desktop 14\Installation\installer-cachetext
MD5:
SHA256:
3152SodaPDFDesktop14.exeC:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
13
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3152
SodaPDFDesktop14.exe
GET
304
88.221.110.91:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0e91f3b2f39a8b9b
unknown
unknown
3152
SodaPDFDesktop14.exe
GET
200
216.58.206.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
unknown
3152
SodaPDFDesktop14.exe
GET
200
216.58.206.67:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
unknown
3152
SodaPDFDesktop14.exe
HEAD
302
64.15.159.230:80
http://download14-desktop.sodapdf.com/x86/module/main
unknown
unknown
3152
SodaPDFDesktop14.exe
GET
302
64.15.159.230:80
http://download14-desktop.sodapdf.com/x86/module/main
unknown
unknown
1080
svchost.exe
GET
200
2.19.126.137:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e90c163b6659448e
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
3152
SodaPDFDesktop14.exe
104.19.145.4:443
wsgeoip.sodapdf.com
CLOUDFLARENET
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3152
SodaPDFDesktop14.exe
88.221.110.91:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3152
SodaPDFDesktop14.exe
216.58.206.67:80
ocsp.pki.goog
GOOGLE
US
whitelisted
3152
SodaPDFDesktop14.exe
64.15.159.230:80
download14-desktop.sodapdf.com
IWEB-AS
CA
unknown
3152
SodaPDFDesktop14.exe
64.15.159.230:443
download14-desktop.sodapdf.com
IWEB-AS
CA
unknown
3152
SodaPDFDesktop14.exe
104.19.146.4:443
wsgeoip.sodapdf.com
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared
wsgeoip.sodapdf.com
  • 104.19.145.4
  • 104.19.146.4
unknown
ctldl.windowsupdate.com
  • 88.221.110.91
  • 2.16.100.168
  • 2.19.126.137
  • 2.19.126.163
whitelisted
ocsp.pki.goog
  • 216.58.206.67
whitelisted
api-updateservice.sodapdf.com
  • 104.19.145.4
  • 104.19.146.4
unknown
download14-desktop.sodapdf.com
  • 64.15.159.230
unknown
redmtl.sodapdf.com
  • 104.19.146.4
  • 104.19.145.4
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SodaPDFDesktop14.exe