File name:

Kompatibilitaetsmodus.exe

Full analysis: https://app.any.run/tasks/acc4fc91-e7bf-435b-85ce-004978d1a6e0
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 12, 2019, 07:55:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
sodinokibi
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

455C560D6E7805E0DED22FF1C51C2577

SHA1:

67476BF5183C4AFDD584511F170896F91C180A56

SHA256:

B2FF63F76AAEB73B02777C3B79022BA5A0DB2D44F61071AF808C4074E88ED6F7

SSDEEP:

12288:WBa1UgYgkoBcD7p3GvSBEBiBFEf4I9d27V:WBa6gl07SSBdFEp94

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Sodinokibi keys found

      • Kompatibilitaetsmodus.exe (PID: 3252)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 2524)

    • Deletes shadow copies

      • cmd.exe (PID: 2524)

    • Dropped file may contain instructions of ransomware

      • Kompatibilitaetsmodus.exe (PID: 3252)

    • Renames files like Ransomware

      • Kompatibilitaetsmodus.exe (PID: 3252)

    • Changes settings of System certificates

      • Kompatibilitaetsmodus.exe (PID: 3252)

  • SUSPICIOUS

    • Application launched itself

      • Kompatibilitaetsmodus.exe (PID: 1480)

    • Executed as Windows Service

      • vssvc.exe (PID: 3700)

    • Creates files in the program directory

      • Kompatibilitaetsmodus.exe (PID: 3252)

    • Starts CMD.EXE for commands execution

      • Kompatibilitaetsmodus.exe (PID: 3252)

    • Creates files like Ransomware instruction

      • Kompatibilitaetsmodus.exe (PID: 3252)

    • Adds / modifies Windows certificates

      • Kompatibilitaetsmodus.exe (PID: 3252)

  • INFO

    • Dropped object may contain TOR URL's

      • Kompatibilitaetsmodus.exe (PID: 3252)

    • Manual execution by user

      • WINWORD.EXE (PID: 828)
      • chrome.exe (PID: 216)
      • explorer.exe (PID: 1512)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 828)

    • Application launched itself

      • chrome.exe (PID: 216)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 828)

    • Reads settings of System Certificates

      • chrome.exe (PID: 216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:04:11 09:04:23+02:00
PEType: PE32
LinkerVersion: 12
CodeSize: 215552
InitializedDataSize: 582656
UninitializedDataSize: -
EntryPoint: 0x7a14
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 11-Apr-2018 07:04:23

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 11-Apr-2018 07:04:23
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000348B0
0x00034A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.73595
.rdata
0x00036000
0x0000BA04
0x0000BC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.59227
.data
0x00042000
0x00078650
0x0002A200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.53014
.idata
0x000BB000
0x00002000
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.09516
.rsrc
0x000BD000
0x00005CE6
0x00005E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.5123
.reloc
0x000C3000
0x00002C52
0x00002E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.63348

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.74696
3752
UNKNOWN
UNKNOWN
RT_ICON
2
5.06402
1384
UNKNOWN
UNKNOWN
RT_ICON
3
5.35314
1736
UNKNOWN
UNKNOWN
RT_ICON
4
5.4673
2440
UNKNOWN
UNKNOWN
RT_ICON
5
4.68941
9640
UNKNOWN
UNKNOWN
RT_ICON
116
2.86251
76
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
28
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start kompatibilitaetsmodus.exe no specs #SODINOKIBI kompatibilitaetsmodus.exe cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs winword.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
216"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
588"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,16686043163500579276,514325628278603429,131072 --enable-features=PasswordImport --service-pipe-token=16790925661171706591 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16790925661171706591 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
828"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\theyre.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
964"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=940,16686043163500579276,514325628278603429,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=7688062194486792229 --mojo-platform-channel-handle=4036 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1004"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=940,16686043163500579276,514325628278603429,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=498860061444235802 --mojo-platform-channel-handle=4284 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1336"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,16686043163500579276,514325628278603429,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=12205589556110467561 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12205589556110467561 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1388"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=940,16686043163500579276,514325628278603429,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=17609467124707845415 --mojo-platform-channel-handle=4012 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1480"C:\Users\admin\AppData\Local\Temp\Kompatibilitaetsmodus.exe" C:\Users\admin\AppData\Local\Temp\Kompatibilitaetsmodus.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\kompatibilitaetsmodus.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1512"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1592"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=220 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
Total events
1 318
Read events
1 173
Write events
130
Delete events
15

Modification events

(PID) Process:(1480) Kompatibilitaetsmodus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1480) Kompatibilitaetsmodus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3252) Kompatibilitaetsmodus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\recfg
Operation:writeName:pk_key
Value:
F98DF7AC2CB4082746CE3A0E53BD2583AEB09858B457DB5635C454DDA99ABE40
(PID) Process:(3252) Kompatibilitaetsmodus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\recfg
Operation:writeName:sk_key
Value:
1D5E4DE6FEDCAD9C06BE1661805A9AB11A444EB3DB5B885B4CE04698EC2F7DBBF34BAE462E2CF845F7630837154EA67B1DB3F8BC08A51986D6C5675C00119FE4C0FDF4706AB99B88D3A79AC21CAB54F9FADF8101D451F7F7
(PID) Process:(3252) Kompatibilitaetsmodus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\recfg
Operation:writeName:0_key
Value:
49F47EFAD6ECB3017CC4F88BA9A58D3E4CAF5167393CFAF0C9DFD69E2AFC5FDEA305752FA64AA730E2EC65834AE7A4C9C25273158DCA59B9722F5DFF6C861A9FEF25F708DB4267114A01CAC8030D969B2B60FABFCAEDD1D1
(PID) Process:(3252) Kompatibilitaetsmodus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\recfg
Operation:writeName:rnd_ext
Value:
.frbbl8md
(PID) Process:(3252) Kompatibilitaetsmodus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\recfg
Operation:writeName:stat
Value:
D9175C7775AB8D98CF18E39C54DAE7BB03FF13EC12DDEE531CE26D5838731C7B2AC310D5B50FAAFC12114B80D67DD31789EC8423C1EF1A2F538921862FB86A9665443965738D555C70DDA1A3D2D852422E3381660D260F584ADD4A94CA2D46F9B1480D2947947291A4CFBE99DA711DA8675D11F313AED294216EB20C0022EB51890E5C3ABF0BBAAB7980C4060749CF1EF0322E4FFE87E962FB05BD33EE20041901B196EAF382D12320BD55FD63ED5DDA44AFB63036681546AA48334F4D2DC0953C2464A7445E0BE8BAF3A8FCEBFF9C4907B7FA1EE9A39289E6A9CD742A40F740BDC4F4F29E205474A1874C2AC9C3C5C31ECE07AAC783FCC94076C939A4440C3F7B2C258F17E5A0505CC35B192A5142F055B8AB2D521E8A79DE44572542ED3AC08F39B92923724CB03621842764363D295BD8FADCA4AA1CD09E0D988F61704D9A4183AB55DE6B4200BFF14051A9F7A2421AC4A863B1BE4949260F339E63E59D62F1CABBBEE3899EE66D7FE3F73DCC14DA94390A84565391105195E6CAAB3758EAB4E4C31ACDCF67FEA1C0122B0E4D500E275D4C2663C7A70A26ADDAA3082E3F565332F0759DCE704E7FDEB7EB282EF06F85A47E2CF224B248A316C9CFA45A81D42826E3A7DD96E713C7D2D1BBC43321F3097F137A68A2CCB494849A17885F0A3E19A5B53FC0DDFD4B1FA7967241751403A17E4B321E1CBE2C5CD4207C0F2DEBED633148E11E365172773868FF13826824793AFC5F29887301C1AAEDA74B4223E5D76299CA399027D25CCB8461331440EF900014C4C3879060CD7411199E7D0287484D6DF5CF5F78F107441E7C013D2F62560E0CBBDF62BE369EA7271088F0638C37EE8B724A92828169F1289CE8164A1F37F18EFA7433B186C7EFADC4231386097AF8A0FE74EC09DEAAE245D012F22BA759B9B4A0CB9E0FEA57CD671114E0639BA1D0DE8BBDA4B5074ABF35BE27909E9A02E1509FDBD9C128CB018A2D7799DEC7AE10B06C8C91630A6A7AFCC7034CF4EE9349788FA6F5F94213561E9C9C6A86CD1BC1BF658E8A1750D72A53DAE88B18D56ACC10065F5EE9D53063DCC43825C97A10259780E8D738A37C352D7E61E0493008CFA88D3BD73A63AFCC54C4F6DAF6DDE427CCE067606332BC5FA1BD120D7027AE6FC11912185A8C63EF5C1B2552CF8C498E94930F41EC8DD86F4E24809EAFB3600D4D87867BC3337587F6DBBEA5F38B5B1E078A0D0ECBFEE89EA8DB
(PID) Process:(3252) Kompatibilitaetsmodus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3252) Kompatibilitaetsmodus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3456) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\16000009
Operation:writeName:Element
Value:
00
Executable files
0
Suspicious files
208
Text files
147
Unknown types
12

Dropped files

PID
Process
Filename
Type
828WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5646.tmp.cvr
MD5:
SHA256:
3252Kompatibilitaetsmodus.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
MD5:
SHA256:
3252Kompatibilitaetsmodus.exec:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.frbbl8md
MD5:
SHA256:
3252Kompatibilitaetsmodus.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim
MD5:
SHA256:
3252Kompatibilitaetsmodus.exeC:\frbbl8md-readme.txtbinary
MD5:
SHA256:
828WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:
SHA256:
3252Kompatibilitaetsmodus.exeC:\users\default\frbbl8md-readme.txtbinary
MD5:
SHA256:
3252Kompatibilitaetsmodus.exeC:\recovery\frbbl8md-readme.txtbinary
MD5:
SHA256:
3252Kompatibilitaetsmodus.exeC:\program files\frbbl8md-readme.txtbinary
MD5:
SHA256:
828WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
46
DNS requests
38
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
216
chrome.exe
GET
200
209.85.226.106:80
http://r5---sn-5hne6ns6.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.183.107.236&mm=28&mn=sn-5hne6ns6&ms=nvh&mt=1560326077&mv=m&pl=24&shardbypass=yes
US
crx
842 Kb
whitelisted
3252
Kompatibilitaetsmodus.exe
GET
200
205.185.216.10:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.2 Kb
whitelisted
216
chrome.exe
GET
302
172.217.22.78:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
506 b
whitelisted
3252
Kompatibilitaetsmodus.exe
GET
200
205.185.216.10:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt
US
der
993 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
216
chrome.exe
216.58.206.3:443
www.google.com.ua
Google Inc.
US
whitelisted
216
chrome.exe
172.217.18.174:443
clients1.google.com
Google Inc.
US
whitelisted
216
chrome.exe
172.217.22.35:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
216
chrome.exe
172.217.22.67:443
ssl.gstatic.com
Google Inc.
US
whitelisted
216
chrome.exe
172.217.18.109:443
accounts.google.com
Google Inc.
US
suspicious
3252
Kompatibilitaetsmodus.exe
178.128.155.196:443
floweringsun.org
Forthnet
GR
unknown
216
chrome.exe
216.58.207.35:443
www.gstatic.com
Google Inc.
US
whitelisted
216
chrome.exe
172.217.18.1:443
clients2.googleusercontent.com
Google Inc.
US
whitelisted
3252
Kompatibilitaetsmodus.exe
77.104.180.220:443
nbva.co.uk
SoftLayer Technologies Inc.
US
suspicious
3252
Kompatibilitaetsmodus.exe
5.35.225.215:443
cc-experts.de
Host Europe GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.22.35
whitelisted
www.google.com.ua
  • 216.58.206.3
whitelisted
accounts.google.com
  • 172.217.18.109
shared
floweringsun.org
  • 178.128.155.196
malicious
clients1.google.com
  • 172.217.18.174
whitelisted
ssl.gstatic.com
  • 172.217.22.67
whitelisted
clients2.google.com
  • 172.217.18.174
whitelisted
www.gstatic.com
  • 216.58.207.35
whitelisted
clients2.googleusercontent.com
  • 172.217.18.1
whitelisted
apis.google.com
  • 172.217.16.142
whitelisted

Threats

PID
Process
Class
Message
3252
Kompatibilitaetsmodus.exe
Generic Protocol Command Decode
SURICATA TLS invalid record type
3252
Kompatibilitaetsmodus.exe
Generic Protocol Command Decode
SURICATA TLS invalid record type
3252
Kompatibilitaetsmodus.exe
Generic Protocol Command Decode
SURICATA TLS invalid record type
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Kompatibilitaetsmodus.exe