General Info

URL

http://link.ins.pl/.mxr1ouq0/Wersja.1.21.3.6.zip

Full analysis
https://app.any.run/tasks/9706b0d8-db1b-49ba-9eca-62082f73443a
Verdict
Malicious activity
Analysis date
7/11/2019, 14:51:45
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • InsERT_TaskService.exe (PID: 2420)
  • SuslakGeneratorPodmiotowService.exe (PID: 3920)
  • SuslakService.exe (PID: 3648)
Loads dropped or rewritten executable
  • SearchProtocolHost.exe (PID: 1708)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 2876)
Manual execution by user
  • InsERT_TaskService.exe (PID: 2420)
  • WinRAR.exe (PID: 2876)
  • SuslakGeneratorPodmiotowService.exe (PID: 3920)
  • SuslakService.exe (PID: 3648)
Application was crashed
  • InsERT_TaskService.exe (PID: 2420)
Creates files in the user directory
  • opera.exe (PID: 2904)
Reads Internet Cache Settings
  • opera.exe (PID: 2904)
Dropped object may contain Bitcoin addresses
  • opera.exe (PID: 2904)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
44
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start opera.exe winrar.exe searchprotocolhost.exe no specs suslakservice.exe no specs suslakgeneratorpodmiotowservice.exe no specs insert_taskservice.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1708
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\version.dll
c:\users\admin\desktop\unity.container.dll
c:\users\admin\desktop\unity.abstractions.dll
c:\users\admin\desktop\unit4se.ing.api.dll
c:\windows\system32\acppage.dll
c:\windows\system32\msxml3r.dll
c:\users\admin\desktop\system.runtime.compilerservices.unsafe.dll
c:\users\admin\desktop\suslakws.dll
c:\users\admin\desktop\suslakservice.exe
c:\users\admin\desktop\suslakgeneratorpodmiotowservice.exe
c:\users\admin\desktop\suslak.dll
c:\users\admin\desktop\insert_taskservicelib.dll
c:\users\admin\desktop\insert_taskservice.exe
c:\users\admin\desktop\insert_suslak.commhub.views.dll
c:\users\admin\desktop\insert_suslak.commhub.viewmodels.dll
c:\users\admin\desktop\insert_suslak.commhub.services.dll
c:\users\admin\desktop\insert_suslak.commhub.models.dll
c:\users\admin\desktop\insert_suslak.commhub.core.dll
c:\users\admin\desktop\insert_skryptysql.dll
c:\users\admin\desktop\insert_jobs.dll
c:\users\admin\desktop\insert_dxwpf.dll
c:\users\admin\desktop\insertex.dll
c:\users\admin\desktop\ingapimockservices.dll
c:\users\admin\desktop\cib\unit4se.ing.api.dll
c:\users\admin\desktop\cib\nlog.dll
c:\users\admin\desktop\cib\interop.insert.dll
c:\users\admin\desktop\cib\insert_suslakcib.dll
c:\users\admin\desktop\cib\insert_servicecib.exe
c:\users\admin\desktop\cib\insert_logger.dll
c:\users\admin\desktop\cib\insertex.dll
c:\users\admin\desktop\cib\cib_tester.exe
c:\users\admin\desktop\cib\cib.dll

PID
2904
CMD
"C:\Program Files\Opera\opera.exe" http://link.ins.pl/.mxr1ouq0/Wersja.1.21.3.6.zip
Path
C:\Program Files\Opera\opera.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Opera Software
Description
Opera Internet Browser
Version
1748
Modules
Image
c:\program files\opera\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\opera\opera.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\devenum.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\quartz.dll
c:\program files\adobe\acrobat reader dc\reader\browser\nppdf32.dll
c:\windows\system32\macromed\flash\npswf32_26_0_0_131.dll
c:\program files\java\jre1.8.0_92\bin\dtplugin\npdeployjava1.dll
c:\program files\java\jre1.8.0_92\bin\plugin2\npjp2.dll
c:\progra~1\micros~1\office14\npauthz.dll
c:\progra~1\micros~1\office14\npspwrap.dll
c:\program files\google\update\1.3.34.11\npgoogleupdate3.dll
c:\program files\videolan\vlc\npvlc.dll
c:\program files\adobe\acrobat reader dc\reader\air\nppdf32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\shdocvw.dll
c:\program files\winrar\winrar.exe
c:\windows\explorer.exe
c:\windows\system32\userenv.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\searchfolder.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\mssvp.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wpdshext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\actxprxy.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\zipfldr.dll

PID
2876
CMD
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Wersja.1.21.3.6.zip" C:\Users\admin\Desktop\
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3648
CMD
"C:\Users\admin\Desktop\SuslakService.exe"
Path
C:\Users\admin\Desktop\SuslakService.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
InsERT S.A.
Description
SuslakService
Version
1.11.9.1
Modules
Image
c:\users\admin\desktop\suslakservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\c37de755ec3ee73d604bc11f85599177\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
3920
CMD
"C:\Users\admin\Desktop\SuslakGeneratorPodmiotowService.exe"
Path
C:\Users\admin\Desktop\SuslakGeneratorPodmiotowService.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
InsERT
Description
SuslakGeneratorPodmiotowService
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\suslakgeneratorpodmiotowservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\c37de755ec3ee73d604bc11f85599177\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
2420
CMD
"C:\Users\admin\Desktop\InsERT_TaskService.exe"
Path
C:\Users\admin\Desktop\InsERT_TaskService.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3762504530
Version:
Company
InsERT S.A.
Description
InsERT_TaskService
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\insert_taskservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\c37de755ec3ee73d604bc11f85599177\system.serviceprocess.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll

Registry activity

Total events
1081
Read events
940
Write events
141
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1708
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
1708
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\70\52C64B7E
@C:\Windows\System32\acppage.dll,-6003
Windows Command Script
1708
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\70\52C64B7E
@C:\Windows\System32\msxml3r.dll,-1
XML Document
2904
opera.exe
write
HKEY_CURRENT_USER\Software\Opera Software
Last CommandLine v2
C:\Program Files\Opera\opera.exe http://link.ins.pl/.mxr1ouq0/Wersja.1.21.3.6.zip
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NodeSlots
020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
MRUListEx
0200000001000000000000000700000006000000030000000500000004000000FFFFFFFF
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
TV_FolderType
{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
TV_TopViewID
{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
TV_TopViewVersion
0
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Mode
4
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
LogicalViewMode
1
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
FFlags
1092616257
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
IconSize
16
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A0000001001000030F125B7EF471A10A5F102608C9EEBAC0E0000007800000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Sort
000000000000000000000000000000000200000030F125B7EF471A10A5F102608C9EEBAC0A0000000100000030F125B7EF471A10A5F102608C9EEBAC0E000000FFFFFFFF
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
FFlags
1
2904
opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules\GlobalSettings\ProperTreeModuleInner
ProperTreeModuleInner
9C000000980000003153505305D5CDD59C2E1B10939708002B2CF9AE3B0000002A000000004E0061007600500061006E0065005F004300460044005F0046006900720073007400520075006E0000000B000000000000004100000030000000004E0061007600500061006E0065005F00530068006F0077004C00690062007200610072007900500061006E00650000000B000000FFFF00000000000000000000
2904
opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane
ExpandedState
06000000160014001F8080A63C324DC29940B94D446DD2D7249E0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F4225481E03947BC34DB131E946B44C8DD50000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F43983FFBB4EAC18D42A78AD1F5659CBA930000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000000000000002000000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F580D1A2CF021BE504388B07367FC96EF3C0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B00000000000000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F50E04FD020EA3A6910A2D808002B30309D0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Mode
6
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
LogicalViewMode
2
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1092616257
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
IconSize
48
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A000000A000000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000A66A63283D95D211B5D600C04FD918D00B0000007800000030F125B7EF471A10A5F102608C9EEBAC0E00000078000000
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupView
0
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:FMTID
{00000000-0000-0000-0000-000000000000}
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:PID
0
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByDirection
1
2904
opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
1
6F0070006500720061002E0065007800650000000000
2904
opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
MRUListEx
0100000000000000FFFFFFFF
2904
opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\zip
0
7600320000000000000000008000576572736A612E312E32312E332E362E7A697000540008000400EFBE00000000000000002A0000000000000000000000000000000000000000000000000057006500720073006A0061002E0031002E00320031002E0033002E0036002E007A0069007000000022000000
2904
opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\zip
MRUListEx
00000000FFFFFFFF
2904
opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
1
7600320000000000000000008000576572736A612E312E32312E332E362E7A697000540008000400EFBE00000000000000002A0000000000000000000000000000000000000000000000000057006500720073006A0061002E0031002E00320031002E0033002E0036002E007A0069007000000022000000
2904
opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
MRUListEx
0100000000000000FFFFFFFF
2904
opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
1
6F0070006500720061002E0065007800650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000
2904
opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
1
6F0070006500720061002E00650078006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001300000080020000F3010000000000000000000000000000000000000100000000000000
2904
opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
1
6F0070006500720061002E0065007800650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FCFFFFFFFCFFFFFF04050000B802000000000000000000000000000000000000000000001300000080020000F3010000000000000000000000000000000000000100000000000000
2904
opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
MRUListEx
0100000000000000FFFFFFFF
2904
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100

Files activity

Executable files
29
Suspicious files
24
Text files
18
Unknown types
21

Dropped files

PID
Process
Filename
Type
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\CIB.dll
executable
MD5: 564baef84e04eac5772868506fa11dae
SHA256: c124428a1a178725f3470152b8ab4f4d2bc86e17864f3aa735fa559f3862d512
2876
WinRAR.exe
C:\Users\admin\Desktop\INGApiMockServices.dll
executable
MD5: e1c6bf1dde062456940a3b457522ddce
SHA256: 0f8b474fd460d8b11003e4d1695a93d459556899999b99ac4a65f3ee2026fae0
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_TaskServiceLib.dll
executable
MD5: 5fa4cda0443ae741b23c49951a37a906
SHA256: 92041c1ebcc229f84334fd73f5882edb079e0b6f83cbec1bf1d5521c49ba75a7
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\Interop.InsERT.dll
executable
MD5: 6e6be58c5420c11bac7337a65fa60c96
SHA256: 6c783e4214310cec38172204241f6af97e60c5e2db7943f1be24ccfd0b516a5c
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_TaskService.exe
executable
MD5: a22bf8282afbcf2255ffd6309164f30c
SHA256: 2d12a6643288b3e6e8a7371f989bd1e208045e4aa0c5b99c631bbff0288f7f0a
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\NLog.dll
executable
MD5: aa224f2be32ea556282e24824771eb04
SHA256: 2fb24a38f6b72faefa386ef81f4df8830c2760b2ec89c19bb5ac68eac3e30127
2876
WinRAR.exe
C:\Users\admin\Desktop\SuslakGeneratorPodmiotowService.exe
executable
MD5: 1a0b47c7999eb86ec1c8564a98cba8ec
SHA256: 4e9e3e2c1ae9324513bce74aa047ca35f12bd793f0ad90a8a0e299cee9ac019f
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\InsERT_SuslakCIB.dll
executable
MD5: c81e7a088ae3ea3fa765bd7abde6cbe1
SHA256: f50e7b1fcf49b25341df70bddb57f113c964e0297fbaf10efd5e51ac76ca512c
2876
WinRAR.exe
C:\Users\admin\Desktop\SuslakWS.dll
executable
MD5: b0750ed0e41e2624b539194e30872a79
SHA256: 762983a2cf2b4500eb2e71ccfe1a68d5661b07acac667dbce84fdbe1551e3114
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\InsERT_ServiceCIB.exe
executable
MD5: 3adf8d692b15c56d520f4036f2fd3bb1
SHA256: 05316ca3c77dc11bd7e7101b28ac54e8eb46d0d14b96ff94484a8dc3dfcb87af
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\Unit4SE.ING.Api.dll
executable
MD5: 8d6272dc83ba47589d0331c0e14e49f9
SHA256: c96e749bfc6e4bc5387cb0f24528a1decc1fc4e91333e637763bde7087bad8f9
2876
WinRAR.exe
C:\Users\admin\Desktop\SuslakService.exe
executable
MD5: 098ada19e945995fdfd2f0a856eb006e
SHA256: fbf6fa9d6dd375250a7a9a07a4dd07fccfc84cdf3a8a0ac417b12741c25868ba
2876
WinRAR.exe
C:\Users\admin\Desktop\Unity.Container.dll
executable
MD5: 8e5ed70da20ec62fcdf2c1c5282f091c
SHA256: 64fa6532aea5e48ccda8206bc8a69b691cc4cfbb948c6129bcc99f1370ddb7fb
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\InsERT_Logger.dll
executable
MD5: 5e86b814eacfc9bf75c6e07d4f11fbc3
SHA256: b4b4d431341df84eb9a4d9bc1d8d91a9070450d69d48326ca2fede3f41eb24f6
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERTEx.dll
executable
MD5: 62374ffacb3b4071697e7b4f3e2c2388
SHA256: b8603da73f731d5d2357ffedf3f821c87be603c7a4827487fe8172e4e05153cc
2876
WinRAR.exe
C:\Users\admin\Desktop\System.Runtime.CompilerServices.Unsafe.dll
executable
MD5: a5aa80f49ad64689085755ab1ebf086e
SHA256: a79e1c30e9308afe4d680f0bfb82de3e8c1fe94aeca453ec4092c3ed4789ae6b
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_DXWPF.dll
executable
MD5: 6e05942ff5de1bfc4fcc4916d069a172
SHA256: 8f4a134d3bf0eaba1e40e8691f6b7db8af9d900a42376f906d20090f1b51f8e3
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\InsERTEx.dll
executable
MD5: da94f075003c87a667be5d769d610cd2
SHA256: 73f28682d888b3b75ccd55a56f6f0307878981839e2302a09798c4bf251da9cc
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_Jobs.dll
executable
MD5: 33aef4ec9f4cbf5680154500d9dd90b0
SHA256: d77fb8cb059842442a93c27d53943d08526807eba73e23a87302dd2a6213caae
2876
WinRAR.exe
C:\Users\admin\Desktop\Unity.Abstractions.dll
executable
MD5: 96a8a19f87b143a4a494829abe5b1689
SHA256: d26a89e53628369d94ff25a39632ec7e9c0e878178e1b66f2173bc8ab554ee66
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_Suslak.CommHub.Views.dll
executable
MD5: bbb4a5a80bbf1d13b9fce82326236822
SHA256: 112bfe07537e04440bb74d2ee167131c155ab88ab970140c264cf9ff5e080f76
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\CIB_Tester.exe
executable
MD5: e361283eb4a957dc030dbfa9b2fbf53f
SHA256: 883310e390ad1ad1a8a1deecdcd4f1b9156d8639b5e80f9162c841d9961d07ff
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_Suslak.CommHub.Core.dll
executable
MD5: ef6263de9220aaabc340e74bef3b8217
SHA256: 30214a825c8d248b041a95492e1f5ff66b9315bad4d0885f0382f25a49bd5185
2876
WinRAR.exe
C:\Users\admin\Desktop\Unit4SE.ING.Api.dll
executable
MD5: bf152982cfde0fb97e5468b41fdd1533
SHA256: a6647965b1e764956dc35ac67788ac3d80fe9c5334d931c369e3affba3625522
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_Suslak.CommHub.Models.dll
executable
MD5: 36d6c685a6bbe361f65ca3e9ba6647a6
SHA256: c0596ab5c727043031c9209237520a18c4a2a862924e592c7f5c4ee70f6d5bbd
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_SkryptySQL.dll
executable
MD5: 2773d444461c7d4145e8db785d95b7d9
SHA256: 7e9b13e7d1d199186d5226c920ee93aaee73ebaf81dd25abb67fea6f1343f2ed
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_Suslak.CommHub.Services.dll
executable
MD5: 502f704121ad294dd16486e78f3f437e
SHA256: 9c4a29a88159827fc4ae60bc86e4e083ec1e07d7a72f6c5bc65435bfd806dc7c
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_Suslak.CommHub.ViewModels.dll
executable
MD5: 8b20f7b19742e34378c5057d132df173
SHA256: 75b94813491aa18690110a45ba804d2dec22739c0f853ce055ab96182c9b5234
2876
WinRAR.exe
C:\Users\admin\Desktop\Suslak.dll
executable
MD5: 14944443849c8237f0a64e7d1f713829
SHA256: 9e5bbc0a30381cd1e7c28612455ec41640e9aa189f15c0430459a6800a25c045
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\register.cmd
text
MD5: f50881e81214f769fd9b808f0af080f8
SHA256: 41866eee0836a8245def4cbd33ec1dcb66a3b5798eb946c30f3c7c45ea19d4e5
2876
WinRAR.exe
C:\Users\admin\Desktop\SuslakService.pdb
pdb
MD5: 9598a7c9e795277c01ebcb5073499461
SHA256: fc349cc019939607a5ca97d3db7d23e45ed3eebbf4b0c22eb9910466fb317446
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_Suslak.CommHub.Services.pdb
pdb
MD5: 5ae4e0e431aedfbbe160aff4eafb7ab1
SHA256: f8428f8b687fec244a422dc5d389e96903e03c7d8a7f3981515fa53fb7bfe11e
2876
WinRAR.exe
C:\Users\admin\Desktop\SuslakGeneratorPodmiotowService.pdb
pdb
MD5: 98f6618d4e675ad285dcb1a6e04e9eb2
SHA256: 1dcc9d38c94c46e7fbc14812b15a23432e7ae17b58222275232d2a0e298f3246
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_Jobs.pdb
pdb
MD5: 1267f6e750debead51ba63b58482e61f
SHA256: 02f45e389ff022eaa87d707711962aef937777a2b909ae435f58b56cf88e7857
2876
WinRAR.exe
C:\Users\admin\Desktop\UAT copy to Suslak folder.cmd
text
MD5: 97eb81e17427a8da1d079e64e1d5cc55
SHA256: 3582ae211854c6159b95e49716d1871028f4c5cd8eb1f336b471e3c010f5991d
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_SkryptySQL.pdb
pdb
MD5: 5202f2c0a527c1498d12a7df633a414a
SHA256: 05ad1500bc8e22cf359b717badb58511e338baf26a26305ef686e693423be065
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_DXWPF.pdb
pdb
MD5: 162e042ea7ec726d91a4481406163308
SHA256: 50083f26c40d43604647602f53512425ee7ccc32e3e066a58d025c55cfe5abd7
2876
WinRAR.exe
C:\Users\admin\Desktop\Suslak.pdb
––
MD5:  ––
SHA256:  ––
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERTEx.pdb
pdb
MD5: 8c216f995dd927ab60c81f2c254ddfae
SHA256: 7c19ef268bd0dd8eb0654f8b920b4c2dbe0aa5eb46969d07f0a3e4d39fbb8310
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_DXWPF.dll.config
xml
MD5: 15a26acb4d7398e1c4cc149d33138f49
SHA256: 9e2e7be3aded95ed097e283711df730e68e35910456d06f78e8890606e9edb42
2876
WinRAR.exe
C:\Users\admin\Desktop\UAT copy to old.cmd
text
MD5: 1353324ce1bf81b44e2655313434abdf
SHA256: 164d4457a9c9125a2765a09116a5fb8630296d7b78ee92a3512597c5d8365517
2876
WinRAR.exe
C:\Users\admin\Desktop\PRE copy to Suslak folder.cmd
text
MD5: f6713d8a7f677776f35d8615dfe1ed96
SHA256: 658e086961d2729063d782a275756f149349bafd265449be9c20ee1a0a03a0e6
2876
WinRAR.exe
C:\Users\admin\Desktop\INGApiMockServices.pdb
pdb
MD5: 3b2939553116295224c4bb248dcb3d0d
SHA256: 6a5d7a2ab46800a90730c135e0f9d631af677c98fcb0f733b02458035474af75
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\unregister.cmd
text
MD5: 5a90368b381ee3bdf09181e77ebce7a0
SHA256: 4540501cab3676ed2efd1e0e70b0f4c7c385c7635cc4cc200ef564015be446fb
2904
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\CACHEDIR.TAG
text
MD5: e717f92fa29ae97dbe4f6f5c04b7a3d9
SHA256: 5bbd5dcbf87fd8cd7544c522badf22a2951cf010ad9f25c40f9726f09ea2b552
2876
WinRAR.exe
C:\Users\admin\Desktop\UAT restore from old.cmd
text
MD5: 5153ccbb28db9fd8b78f4a400eaca33c
SHA256: e6a2c8d51d88cf299db1bc78b3c6321352b1b78b8ab410a65674df5d11243066
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\uninstall.cmd
text
MD5: 8f5994996e1b233e378886691426ad9b
SHA256: f41259e3117edef6c3751ec616b3ab004da1c049c9a1efc43586874258bb5538
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_TaskService.pdb
pdb
MD5: a5bf124cc66d5ca45a0edf508ecdc9aa
SHA256: bb91c52e31fb2ae24dfaa7c81babe3f5117347e9d2d4970af563e6e335213d4e
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\NLog.xml
xml
MD5: 11ced0903aa1acb14fc65a090becf55b
SHA256: d5ea10121a8e475a79fb032ec5fac1188c5d937b544ff8a371fb13f2243e112d
2876
WinRAR.exe
C:\Users\admin\Desktop\SuslakWS.pdb
pdb
MD5: 24e47032a4fd74b3a163ad6cc684e905
SHA256: 5924204c9023eefc6110f2ea5c999346f20cb0769c1d171e87df8bf9799a7b36
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_Suslak.CommHub.Views.pdb
pdb
MD5: 47e10724b72c190a8a8be9b175e2dfbc
SHA256: f8fba96c9a35fa3f41990c4dbc64b04264cfbdfeff81d250437ea83600cdb63a
2876
WinRAR.exe
C:\Users\admin\Desktop\System.Runtime.CompilerServices.Unsafe.xml
xml
MD5: 26cd9e7e8a62bb97cace4e4ac16987a0
SHA256: 63e32ebb4b26c25f65ddf26b5fa9d7147a9c8b45df355db90ac706afec980036
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\InsERT_ServiceCIB.pdb
pdb
MD5: 2b96153b8fb6593898707f999844d407
SHA256: a72125c6ee796850d6ac5ed43d7908dd8d527980eba9e096757c165c4577a553
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\InsERT_SuslakCIB.pdb
pdb
MD5: 82dbd68ab29b740b99b6fa4827759106
SHA256: 0ca6b4a88869b15c487ce8fb7fb918e9feec7955ceb21c2ebe7be3b012e035d8
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\InsERT_Logger.pdb
pdb
MD5: 6e80d7f140a38e899ff93c8309c4ef18
SHA256: debb31b9f15b6e2dfb8984baf4ad6df964b301731b89a66d0dd2855d7add9e58
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\install.cmd
text
MD5: f736149bb49b735608b16874fa2d0d78
SHA256: f59f4550cb340e4ce685459ee61565a3e184eeebe6ed941c3f0ebb59299a8176
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_Suslak.CommHub.ViewModels.pdb
pdb
MD5: 0673dee5601d7fc94cc756de0d703ddb
SHA256: db0825db138798df8a6c8fafa20a2668fa8e5b95fb11b66a923479074b46eabb
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\InsERTEx.pdb
pdb
MD5: 2011a171201ba5b060e8e85c69bcb3b9
SHA256: edabbc971ca9f131f71aa4ff0d2818d7c6f9d6de85ffdaff66adf64f7d30cf54
2876
WinRAR.exe
C:\Users\admin\Desktop\Unity.Abstractions.pdb
binary
MD5: 8cbfbdce235ad3adeb9c03f1705c0838
SHA256: f2b5582201422f25efd76272339b4819a23c1f85996f91bb95274c283d4c6d3f
2876
WinRAR.exe
C:\Users\admin\Desktop\Unity.Container.pdb
binary
MD5: d12b729decf18d0c088bc307526b8e7c
SHA256: 00f0c4658ebcad763469801796a5cc8354594c8297d7d21f3f48024bd2d3fc9d
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_Suslak.CommHub.Models.pdb
pdb
MD5: ad182d3e4621b919851905c59191462d
SHA256: 1a97be3d0fdd2606ffa9cbabbf5d2874a73526923e87d08c53b83b6dcb6d9c1a
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\CIB.pdb
pdb
MD5: cc1c598af87b069608cb95c901a3b040
SHA256: 6a28eec79a732e5f5df9beb31e3368c2abd5b4b0628ee0c0526903a479ec5ac9
2876
WinRAR.exe
C:\Users\admin\Desktop\CIB\CIB_Tester.pdb
pdb
MD5: 4a1fef2949121b68123dae54ddafdf53
SHA256: afa77b874a2ebf90c0cf061101430244c6422db161c37ed8a7bd9ed2b4013585
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_Suslak.CommHub.Core.pdb
pdb
MD5: 9197e69293d45757f67d4bfa40b5c10a
SHA256: 3799c45567878088dfb202bda3ea1597aa6132de5349535248d80e8b7a6c10c9
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
binary
MD5: 646fed43452cb73fb65e3ce56b019d1e
SHA256: 095c152133cfca153e23ca136aa9b3a8dedf13dc59f61ae2ecd58d8f47f4b6b1
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat
binary
MD5: 4131241e2da99ba99d9fc1fd6a2bda81
SHA256: 36fb5f738ae71d9d8c248aa9296cb8b5a1bfa6c810ac38826ec2182ee69b2b16
2904
opera.exe
C:\Users\admin\Desktop\Wersja.1.21.3.6.zip
compressed
MD5: 9a1048a561f95dd29c21be813069488e
SHA256: dfeac634d9e09e29b2ba491d3fbccac2d676e0adf3bded83dc06014a0d8b9614
2904
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\g_0000\opr00001.tmp
compressed
MD5: 9a1048a561f95dd29c21be813069488e
SHA256: dfeac634d9e09e29b2ba491d3fbccac2d676e0adf3bded83dc06014a0d8b9614
2904
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00003.tmp
html
MD5: 7f077f1fce3d566040b0d69eb1f27d8f
SHA256: 487ad0d2cf075f4328a1adf57ef428759ad4e2c873a8ebd2ad9653990829c9cf
2904
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms
binary
MD5: 8d2af1b32332cbc3eb43e52363bc928d
SHA256: a8a64be8eab84cf198494b0773676df0fb6cab57e8dc1329ebcfdcd849ebdfe0
2904
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF154c93.TMP
binary
MD5: 8d2af1b32332cbc3eb43e52363bc928d
SHA256: a8a64be8eab84cf198494b0773676df0fb6cab57e8dc1329ebcfdcd849ebdfe0
2904
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E67NNFT4DTVN9YR89XWE.temp
––
MD5:  ––
SHA256:  ––
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
binary
MD5: 7f5dcbf9f067f258078d5071195d5c51
SHA256: fec0be3946fe4780375cee50eb647bea4fb130af228e473fe442b39ff19d0492
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
binary
MD5: 4be05d60b3c68a9d964b0a1cd61480cb
SHA256: e529e3eb96d31d0da3e513397209a25ce7c4ccb8f5e7992ac236d3d57182a1b6
2904
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00002.tmp
xml
MD5: efb9196b6acb6bb863fba9c098a80649
SHA256: c73bcc570e31d00d1c57aef63e0347910bb887660a8694a902822717606dd8b1
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
binary
MD5: 59761e989f564f76a3a4b778db7abcf1
SHA256: af879942d234d85c0ce75921dbdda50e2f6d135bd961f259106131751359052b
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat
binary
MD5: 82f1a2b1176a5ecc457d32301e2ad833
SHA256: a783052804dd4c232be2ed3dc00c430cb67a20370890e235562ed2b27b5a602e
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
binary
MD5: 6b945207cf1a5b36ab82f0fc2e755bba
SHA256: d429b822a0d41b1a525d5bd24f682232c17cf93411c60f6d2db4068bf8290f9d
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
2904
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\g_0000\opr00001.tmp
compressed
MD5: de8498da125fe50ad90bdd5952774f11
SHA256: dcd46c935f307db0fd2262f87116208db4da1827b92c8a0f5cce237774f983a1
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml
xml
MD5: da6d10fd0f8273466a57fbd2d1ada57e
SHA256: 889cba6f0e7a18790189a872844304cee979e7b8befdac96d905d19437e3e52f
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opr41B8.tmp
––
MD5:  ––
SHA256:  ––
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
text
MD5: 0100e3d2a29941ceef4e37312a7fa332
SHA256: 0c42c7737a5aba75c8e2ea967e2a994542b2c641d0a370edc41bc4d70a7cac70
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini
text
MD5: 9a70a460ed3fcb8aea0a1e09f7952152
SHA256: de0579ec17f9d833930bd3844a54cc27cbb997bb75ac2593cc57531350f827e6
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opr4159.tmp
––
MD5:  ––
SHA256:  ––
2904
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr4148.tmp
––
MD5:  ––
SHA256:  ––
2876
WinRAR.exe
C:\Users\admin\Desktop\InsERT_TaskServiceLib.pdb
pdb
MD5: 66294d9cf9f8d31623a4d659a5b3de79
SHA256: acb917a02fc51ceeeabc3abf3ed2c8cc24eea7e6d5435e911145950475d4c76b

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
5
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2904 opera.exe GET –– 195.116.205.43:80 http://link.ins.pl/.mxr1ouq0/Wersja.1.21.3.6.zip PL
––
––
unknown
2904 opera.exe GET 400 185.26.182.94:80 http://sitecheck2.opera.com/?host=link.ins.pl&hdn=vGjwzn/GZbO1yaL72JmDJA== unknown
html
whitelisted
2904 opera.exe GET 200 93.184.220.29:80 http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl US
der
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2904 opera.exe 185.26.182.93:443 Opera Software AS –– unknown
2904 opera.exe 185.26.182.94:443 Opera Software AS –– malicious
2904 opera.exe 195.116.205.43:80 Orange Polska Spolka Akcyjna PL unknown
2904 opera.exe 185.26.182.94:80 Opera Software AS –– malicious
2904 opera.exe 93.184.220.29:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted

DNS requests

Domain IP Reputation
link.ins.pl 195.116.205.43
unknown
certs.opera.com 185.26.182.93
185.26.182.94
whitelisted
sitecheck2.opera.com 185.26.182.94
185.26.182.111
185.26.182.112
185.26.182.93
whitelisted
crl4.digicert.com 93.184.220.29
whitelisted

Threats

No threats detected.

Debug output strings

No debug info.