URL:

https://drive.google.com/file/d/13lG1C98BB41zsOBBo-ZykRCKCzNjO6N8/view?usp=drive_web

Full analysis: https://app.any.run/tasks/465a57f9-c7e2-4a4f-bfe4-b8be70d06dea
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 18, 2018, 15:06:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
stealer
trojan
Indicators:
MD5:

E1A8BC377A977E5099C3233140922CE1

SHA1:

8CF9E02A464A1A5950B2E265D92DDB70C23CE508

SHA256:

9D3718D695F29BE88B5910F1233DD84C81D2B6B330304D94ACD6A3E64CF2CFB7

SSDEEP:

3:N8PMMtZJulo/UStnT/upfb2ITVrM5AH:2ACtnTmpftJrn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 00_Offer_Lufthansa_Technik_8117883.pdf.pif (PID: 3732)
      • o32.exe (PID: 3464)
      • fc32.exe (PID: 3060)
      • ip.exe (PID: 2984)

    • Stealing of credential data

      • ip.exe (PID: 2984)
      • o32.exe (PID: 3464)
      • fc32.exe (PID: 3060)
      • 00_Offer_Lufthansa_Technik_8117883.pdf.pif (PID: 3732)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2464)
      • 00_Offer_Lufthansa_Technik_8117883.pdf.pif (PID: 3732)

    • Connects to unusual port

      • 00_Offer_Lufthansa_Technik_8117883.pdf.pif (PID: 3732)

    • Checks for external IP

      • ip.exe (PID: 2984)

    • Loads DLL from Mozilla Firefox

      • fc32.exe (PID: 3060)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2952)
      • chrome.exe (PID: 2464)

    • Creates files in the user directory

      • iexplore.exe (PID: 3252)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3252)
      • chrome.exe (PID: 2464)
      • iexplore.exe (PID: 2952)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2952)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2952)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2464)
      • iexplore.exe (PID: 3252)

    • Changes internet zones settings

      • iexplore.exe (PID: 2952)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
17
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs 00_offer_lufthansa_technik_8117883.pdf.pif chrome.exe no specs ip.exe fc32.exe o32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2124"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=896,2066167163831079509,3461745954016535131,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=F68B65C6675473B8080056D366D9F76A --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=F68B65C6675473B8080056D366D9F76A --renderer-client-id=8 --mojo-platform-channel-handle=2244 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2364"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=896,2066167163831079509,3461745954016535131,131072 --enable-features=PasswordImport --lang=en-US --no-sandbox --service-request-channel-token=BBAAD8DCF3802B10D2C1BE46D37E67D7 --mojo-platform-channel-handle=4316 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2460"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2468 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2464"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2644"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=896,2066167163831079509,3461745954016535131,131072 --enable-features=PasswordImport --service-pipe-token=B85657E121A9815F80F0E93BA8305755 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=B85657E121A9815F80F0E93BA8305755 --renderer-client-id=3 --mojo-platform-channel-handle=2056 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2944"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=896,2066167163831079509,3461745954016535131,131072 --enable-features=PasswordImport --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=8B173FA6C738B4EF9FABCDFAF1587B4D --mojo-platform-channel-handle=3816 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2952"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2984"C:\Users\admin\AppData\Local\Temp\ip.exe"C:\Users\admin\AppData\Local\Temp\ip.exe
00_Offer_Lufthansa_Technik_8117883.pdf.pif
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ip.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3060"C:\Users\admin\AppData\Local\Temp\fc32.exe"C:\Users\admin\AppData\Local\Temp\fc32.exe
00_Offer_Lufthansa_Technik_8117883.pdf.pif
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\fc32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3252"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 076
Read events
926
Write events
145
Delete events
5

Modification events

(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{920615C3-02D6-11E9-BAD8-5254004A04AF}
Value:
0
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E2070C00020012000F00070002005601
Executable files
8
Suspicious files
64
Text files
94
Unknown types
16

Dropped files

PID
Process
Filename
Type
2952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3252iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txt
MD5:
SHA256:
3252iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\view[1].txt
MD5:
SHA256:
2952iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF30A083FB3A58FAD2.TMP
MD5:
SHA256:
2952iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5CBA598B2967FEF9.TMP
MD5:
SHA256:
3252iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\view[1].htmhtml
MD5:
SHA256:
2952iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFBA5CF87B1DDA7FF1.TMP
MD5:
SHA256:
2952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{920615C4-02D6-11E9-BAD8-5254004A04AF}.dat
MD5:
SHA256:
3252iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\css[1].txttext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
51
DNS requests
27
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2952
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2984
ip.exe
GET
200
78.47.139.102:80
http://myexternalip.com/raw
DE
text
13 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2952
iexplore.exe
172.217.168.35:443
ssl.gstatic.com
Google Inc.
US
whitelisted
2464
chrome.exe
216.58.215.234:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2464
chrome.exe
172.217.168.45:443
accounts.google.com
Google Inc.
US
whitelisted
2464
chrome.exe
172.217.168.14:443
drive.google.com
Google Inc.
US
whitelisted
2464
chrome.exe
172.217.20.100:443
www.google.com
Google Inc.
US
whitelisted
2464
chrome.exe
216.58.215.238:443
apis.google.com
Google Inc.
US
whitelisted
3252
iexplore.exe
172.217.168.10:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3252
iexplore.exe
216.58.215.238:443
apis.google.com
Google Inc.
US
whitelisted
2464
chrome.exe
172.217.17.35:443
www.google.de
Google Inc.
US
whitelisted
2464
chrome.exe
216.58.215.227:443
www.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
drive.google.com
  • 172.217.168.14
shared
fonts.googleapis.com
  • 172.217.168.10
whitelisted
www.gstatic.com
  • 216.58.215.227
whitelisted
fonts.gstatic.com
  • 172.217.168.3
whitelisted
apis.google.com
  • 216.58.215.238
whitelisted
ssl.gstatic.com
  • 172.217.168.35
whitelisted
clientservices.googleapis.com
  • 216.58.215.227
whitelisted
www.google.de
  • 172.217.17.35
whitelisted
safebrowsing.googleapis.com
  • 216.58.215.234
whitelisted

Threats

PID
Process
Class
Message
3732
00_Offer_Lufthansa_Technik_8117883.pdf.pif
Potential Corporate Privacy Violation
ET INFO .exe File requested over FTP
3732
00_Offer_Lufthansa_Technik_8117883.pdf.pif
Potential Corporate Privacy Violation
ET INFO .exe File requested over FTP
3732
00_Offer_Lufthansa_Technik_8117883.pdf.pif
Potential Corporate Privacy Violation
ET INFO .exe File requested over FTP
2984
ip.exe
Potential Corporate Privacy Violation
ET POLICY Possible IP Check myexternalip.com
3732
00_Offer_Lufthansa_Technik_8117883.pdf.pif
A Network Trojan was detected
MALWARE [PTsecurity] Trojan:Win32/Azden.A!cl
3732
00_Offer_Lufthansa_Technik_8117883.pdf.pif
A Network Trojan was detected
MALWARE [PTsecurity] Trojan:Win32/Azden.A!cl
3732
00_Offer_Lufthansa_Technik_8117883.pdf.pif
A Network Trojan was detected
MALWARE [PTsecurity] Trojan:Win32/Azden.A!cl
3732
00_Offer_Lufthansa_Technik_8117883.pdf.pif
A Network Trojan was detected
MALWARE [PTsecurity] Trojan:Win32/Azden.A!cl
3732
00_Offer_Lufthansa_Technik_8117883.pdf.pif
A Network Trojan was detected
MALWARE [PTsecurity] Trojan:Win32/Azden.A!cl
3732
00_Offer_Lufthansa_Technik_8117883.pdf.pif
A Network Trojan was detected
MALWARE [PTsecurity] Trojan:Win32/Azden.A!cl
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://drive.google.com/file/d/13lG1C98BB41zsOBBo-ZykRCKCzNjO6N8/view?usp=drive_web