Malware analysis SubZero Download_89946866.exe Malicious activity

Add for printing

File name:	SubZero Download_89946866.exe
Full analysis:	https://app.any.run/tasks/73e3a002-3ddd-485c-92bf-4eeb71eea66d
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 10, 2025, 17:51:54
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	premieropinion adware ossproxy relevantknowledge stealer pua
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	554ACBE34759FB497953425E55B35DE3
SHA1:	A73B6E2515C430ADAE914E43632EB7E951D6B256
SHA256:	F3576D9B6CCC35445BBD3B785A8B9A5F49E64BC14F2FB137245D76D00A4D8D45
SSDEEP:	98304:cH4eksk0hz+zlyOFlXBuwPc8LIYj9XzWy31Z5xDxE8k4+HrpHkC/vNDjRsHHLI3D:u7Rz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- OSSPROXY mutex has been found
  - ContentI3.exe (PID: 7944)
  - ContentI3.exe (PID: 7952)
  - ContentI3.exe (PID: 8008)
  - pmropn.exe (PID: 4040)
  - pmropn.exe (PID: 7752)
  - pmropn64.exe (PID: 7000)
  - pmropn32.exe (PID: 5176)
  - pmropn.exe (PID: 4608)
- PREMIEROPINION mutex has been found
  - ContentI3.exe (PID: 7952)
  - ContentI3.exe (PID: 7944)
  - ContentI3.exe (PID: 8008)
  - pmropn.exe (PID: 4040)
  - pmropn.exe (PID: 7752)
  - pmropn.exe (PID: 4608)
- RELEVANTKNOWLEDGE mutex has been found
  - rundll32.exe (PID: 3240)
  - pmropn.exe (PID: 4040)
  - pmropn.exe (PID: 7752)
  - pmropn32.exe (PID: 5176)
- Runs injected code in another process
  - rundll32.exe (PID: 3240)
- Application was injected by another process
  - svchost.exe (PID: 1260)
- Change Internet Settings
  - pmropn.exe (PID: 7752)
- Actions looks like stealing of personal data
  - pmropn.exe (PID: 7752)
- ADWARE has been detected (SURICATA)
  - pmropn.exe (PID: 7752)
- OSSPROXY has been detected (SURICATA)
  - pmropn.exe (PID: 7752)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - SubZero Download_89946866.exe (PID: 7400)
  - ContentI3.exe (PID: 8008)
  - ContentI3.exe (PID: 7944)
  - ContentI3.exe (PID: 7952)
  - pmropn.exe (PID: 4040)
  - pmropn.exe (PID: 7752)
- Executable content was dropped or overwritten
  - SubZero Download_89946866.exe (PID: 7400)
  - ContentI3.exe (PID: 8008)
  - ContentI3.exe (PID: 7944)
  - ContentI3.exe (PID: 7952)
  - pmropn.exe (PID: 4040)
- There is functionality for taking screenshot (YARA)
  - SubZero Download_89946866.exe (PID: 7400)
- Start notepad (likely ransomware note)
  - SubZero Download_89946866.exe (PID: 7400)
- Searches for installed software
  - pmropn.exe (PID: 4040)
  - reg.exe (PID: 5392)
  - rundll32.exe (PID: 3240)
  - svchost.exe (PID: 1260)
  - ContentI3.exe (PID: 7952)
  - pmservice.exe (PID: 5892)
  - ContentI3.exe (PID: 7944)
  - ContentI3.exe (PID: 8008)
  - pmropn.exe (PID: 7752)
  - pmropn32.exe (PID: 5176)
  - pmropn64.exe (PID: 7000)
  - unsecapp.exe (PID: 6592)
  - pmropn.exe (PID: 4608)
- Adds/modifies Windows certificates
  - pmropn.exe (PID: 4040)
  - pmservice.exe (PID: 5892)
- Creates a software uninstall entry
  - pmropn.exe (PID: 4040)
  - ContentI3.exe (PID: 7952)
  - ContentI3.exe (PID: 7944)
  - ContentI3.exe (PID: 8008)
  - pmropn.exe (PID: 7752)
  - pmservice.exe (PID: 5892)
- Executes as Windows Service
  - pmservice.exe (PID: 5892)
- Uses RUNDLL32.EXE to load library
  - pmservice.exe (PID: 5892)
- Starts CMD.EXE for commands execution
  - pmservice.exe (PID: 5892)
- Starts POWERSHELL.EXE for commands execution
  - pmropn.exe (PID: 7752)
- Potential Corporate Privacy Violation
  - pmropn.exe (PID: 7752)
- Connects to unusual port
  - pmropn.exe (PID: 7752)
INFO
- Checks proxy server information
  - SubZero Download_89946866.exe (PID: 7400)
  - pmropn.exe (PID: 4040)
  - pmropn.exe (PID: 7752)
- The sample compiled with english language support
  - SubZero Download_89946866.exe (PID: 7400)
  - ContentI3.exe (PID: 8008)
  - ContentI3.exe (PID: 7944)
  - ContentI3.exe (PID: 7952)
  - pmropn.exe (PID: 4040)
- Reads the machine GUID from the registry
  - SubZero Download_89946866.exe (PID: 7400)
  - pmropn.exe (PID: 4040)
  - pmservice.exe (PID: 5892)
  - pmropn.exe (PID: 7752)
- Checks supported languages
  - SubZero Download_89946866.exe (PID: 7400)
  - ContentI3.exe (PID: 7952)
  - ContentI3.exe (PID: 7944)
  - pmropn.exe (PID: 4040)
  - ContentI3.exe (PID: 8008)
  - pmservice.exe (PID: 5892)
  - pmropn.exe (PID: 7752)
  - pmropn64.exe (PID: 7000)
  - pmropn32.exe (PID: 5176)
  - pmropn.exe (PID: 4608)
- Reads the computer name
  - SubZero Download_89946866.exe (PID: 7400)
  - ContentI3.exe (PID: 7944)
  - ContentI3.exe (PID: 7952)
  - ContentI3.exe (PID: 8008)
  - pmropn.exe (PID: 4040)
  - pmservice.exe (PID: 5892)
  - pmropn.exe (PID: 7752)
- Creates files or folders in the user directory
  - SubZero Download_89946866.exe (PID: 7400)
  - ContentI3.exe (PID: 7952)
  - ContentI3.exe (PID: 8008)
  - ContentI3.exe (PID: 7944)
  - pmropn.exe (PID: 4040)
  - pmropn.exe (PID: 7752)
- Create files in a temporary directory
  - SubZero Download_89946866.exe (PID: 7400)
  - ContentI3.exe (PID: 8008)
  - ContentI3.exe (PID: 7952)
  - ContentI3.exe (PID: 7944)
- Process checks computer location settings
  - SubZero Download_89946866.exe (PID: 7400)
- Reads the software policy settings
  - SubZero Download_89946866.exe (PID: 7400)
  - pmropn.exe (PID: 4040)
  - pmservice.exe (PID: 5892)
  - pmropn.exe (PID: 7752)
  - slui.exe (PID: 7576)
- Reads security settings of Internet Explorer
  - notepad.exe (PID: 1132)
  - cmd.exe (PID: 4464)
  - cmd.exe (PID: 3008)
- Creates files in the program directory
  - ContentI3.exe (PID: 8008)
  - ContentI3.exe (PID: 7952)
  - reg.exe (PID: 5392)
  - pmservice.exe (PID: 5892)
  - pmropn.exe (PID: 4040)
  - pmropn.exe (PID: 7752)
- OSSPROXY has been detected
  - ContentI3.exe (PID: 8008)
  - pmservice.exe (PID: 5892)
  - cmd.exe (PID: 3008)
  - cmd.exe (PID: 4464)
- Disables trace logs
  - pmropn.exe (PID: 7752)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:05:05 13:46:08+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.22
CodeSize:	4352000
InitializedDataSize:	1675264
UninitializedDataSize:	-
EntryPoint:	0x3989ba
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Unknown (0)
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Download Manager
FileVersion:	1
InternalName:	Download Manager
LegalCopyright:	Download Manager
OriginalFileName:	Download Manager
ProductName:	Download Manager
ProductVersion:	1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

295

Monitored processes

154

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

616

CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.print3d_8wekyb3d8bbwe

C:\Windows\SysWOW64\CheckNetIsolation.exe

—

pmropn.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AppContainer Network Isolation Diagnostic Tool

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll

616

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

CheckNetIsolation.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

632

CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.gethelp_8wekyb3d8bbwe

C:\Windows\SysWOW64\CheckNetIsolation.exe

—

pmropn.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AppContainer Network Isolation Diagnostic Tool

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll

904

CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.contentdeliverymanager_cw5n1h2txyewy

C:\Windows\SysWOW64\CheckNetIsolation.exe

—

pmropn.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AppContainer Network Isolation Diagnostic Tool

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll

1056

CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.parentalcontrols_cw5n1h2txyewy

C:\Windows\SysWOW64\CheckNetIsolation.exe

—

pmropn.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AppContainer Network Isolation Diagnostic Tool

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll

1128

CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.win32webviewhost_cw5n1h2txyewy

C:\Windows\SysWOW64\CheckNetIsolation.exe

—

pmropn.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AppContainer Network Isolation Diagnostic Tool

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll

1132

"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\link.txt

C:\Windows\SysWOW64\notepad.exe

—

SubZero Download_89946866.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Notepad

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll

1188

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

CheckNetIsolation.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1188

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

CheckNetIsolation.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1240

CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy

C:\Windows\SysWOW64\CheckNetIsolation.exe

—

pmropn.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AppContainer Network Isolation Diagnostic Tool

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll

Add for printing

Total events

51 178

Read events

50 741

Write events

263

Delete events

174

Modification events


(PID) Process:	(1260) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogon
Operation:	write	Name:	Index
Value: 2
(PID) Process:	(1260) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:	write	Name:	Hash
Value: CDA7456BF99509A5E35E271627318ADB606F72CB542F752AFB69F292A7535F3C
(PID) Process:	(1260) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:	delete value	Name:	Schema
Value:
(PID) Process:	(1260) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:	write	Name:	Version
Value: 1.0
(PID) Process:	(1260) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:	delete value	Name:	Date
Value:
(PID) Process:	(1260) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:	write	Name:	SecurityDescriptor
Value: D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFW;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-4)
(PID) Process:	(1260) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:	write	Name:	Source
Value: $(@%systemroot%\system32\sppc.dll,-200)
(PID) Process:	(1260) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:	write	Name:	Author
Value: $(@%systemroot%\system32\sppc.dll,-200)
(PID) Process:	(1260) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:	write	Name:	Description
Value: $(@%systemroot%\system32\sppc.dll,-202)
(PID) Process:	(1260) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:	delete value	Name:	Documentation
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1260	svchost.exe	C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogon		xml
		MD5:8CBC84881481158749FD559D1D305C46	SHA256:F4902BEF1E82CDAB34A23A43A7F15C0D1C0A0B86E5DD187CACB75E3DF4024153
7400	SubZero Download_89946866.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		binary
		MD5:3E9A375878625A71EFECDFB101682EC5	SHA256:14755F3DD1DEA6D76CF953FB3447572DF614F2BC1A95DC75159362EAC76FB440
1260	svchost.exe	C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskNetwork		xml
		MD5:18E755C987BFC19E9243E2297F9E5973	SHA256:28A47DB050051049E35249EA57B389E3946003173806D02064ADFCC5F46E0880
7400	SubZero Download_89946866.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199		binary
		MD5:8A82796323BEA0509C3E83413C3451AB	SHA256:907C305012004C54B539ADF6D14405690E26E7ED38BC82FC17B3968FCF541423
7400	SubZero Download_89946866.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B77FAD61EB4A40E3443FA60D1451BEB4_5F55BE09F9262B37AA5427711092D3D4		binary
		MD5:5E3661891C74B14835FBCC3DECAC5A0C	SHA256:3B53088BA4AC3A9F7FF56CCA547362C9ECE7181830C6448F54384286BA2BC0FD
7400	SubZero Download_89946866.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\service[1].htm		text
		MD5:0175F786BCA581E8492A2C055CB30716	SHA256:57A84A9442D85F2FB3D96C16E5BEBE65EABC8F3105BBE4ECBF8F9674C39AB4A9
7400	SubZero Download_89946866.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\logo[1].png		image
		MD5:2D4E9E8198F0C3EADE53C619CD1FE4EA	SHA256:C97E703578120C1F7A570ACAC3B461178A5E051CE16BE9E266C1789C1D610AC0
7400	SubZero Download_89946866.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\25D1DB4656094BF561303C5B3B7F5405_08BC28CA85E37FE0965621B0733DE32E		binary
		MD5:887866794C9257D4905DAB2BFE514CC8	SHA256:F8BDE30EDA754264CFD6E864CAB180409DDEB252F1031BAD38C45D172761E83F
7400	SubZero Download_89946866.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\25D1DB4656094BF561303C5B3B7F5405_08BC28CA85E37FE0965621B0733DE32E		binary
		MD5:CAACEAADE10405F5B9A7BFB1813BAE2F	SHA256:A981C947BD4CD04D6D479D4981D52D3A5CEE328445DD9D372C0CE7A8F99F2D49
7400	SubZero Download_89946866.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8		binary
		MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5	SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

145

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7400	SubZero Download_89946866.exe	GET	200	18.245.38.41:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D	unknown	—	—	whitelisted
7400	SubZero Download_89946866.exe	POST	200	165.193.78.234:80	http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=17&uid=74J0m8he4rB82ncpU55555	unknown	—	—	malicious
7400	SubZero Download_89946866.exe	POST	200	165.193.78.234:80	http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=0	unknown	—	—	malicious
7400	SubZero Download_89946866.exe	POST	200	165.193.78.234:80	http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=1&uid=74J0m8he4rB82ncpU55555	unknown	—	—	malicious
7400	SubZero Download_89946866.exe	GET	200	104.18.38.233:80	http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D	unknown	—	—	whitelisted
7400	SubZero Download_89946866.exe	POST	200	165.193.78.234:80	http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=8&uid=74J0m8he4rB82ncpU55555	unknown	—	—	malicious
7400	SubZero Download_89946866.exe	POST	200	165.193.78.234:80	http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=8&uid=74J0m8he4rB82ncpU55555	unknown	—	—	malicious
7400	SubZero Download_89946866.exe	GET	200	104.18.38.233:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D	unknown	—	—	whitelisted
7400	SubZero Download_89946866.exe	POST	200	165.193.78.234:80	http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=4&uid=74J0m8he4rB82ncpU55555	unknown	—	—	malicious
7400	SubZero Download_89946866.exe	POST	200	165.193.78.234:80	http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=4&uid=74J0m8he4rB82ncpU55555	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4628	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	23.48.23.141:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7400	SubZero Download_89946866.exe	35.190.60.70:443	www.dlsft.com	GOOGLE	US	whitelisted
7400	SubZero Download_89946866.exe	142.250.186.35:80	ocsp.pki.goog	GOOGLE	US	whitelisted
7400	SubZero Download_89946866.exe	172.217.16.195:80	c.pki.goog	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146	whitelisted
google.com	142.250.185.206	whitelisted
crl.microsoft.com	23.48.23.141 23.48.23.183 23.48.23.192 23.48.23.139 23.48.23.140 23.48.23.138 23.48.23.185 23.48.23.193 23.48.23.188	whitelisted
www.microsoft.com	184.30.21.171 95.101.149.131	whitelisted
www.dlsft.com	35.190.60.70	unknown
ocsp.pki.goog	142.250.186.35	whitelisted
c.pki.goog	172.217.16.195	whitelisted
o.pki.goog	172.217.16.195	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
dlsft.com	35.190.60.70	unknown

Threats

PID	Process	Class	Message
7752	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP Suspected PUP/PUA User-Agent (OSSProxy)
7752	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header
7752	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP Suspected PUP/PUA User-Agent (OSSProxy)
7752	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header
7752	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header
7752	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header
7752	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header

Add for printing

No debug info

General Info

SubZero Download_89946866.exe

554ACBE34759FB497953425E55B35DE3

A73B6E2515C430ADAE914E43632EB7E951D6B256

F3576D9B6CCC35445BBD3B785A8B9A5F49E64BC14F2FB137245D76D00A4D8D45

98304:cH4eksk0hz+zlyOFlXBuwPc8LIYj9XzWy31Z5xDxE8k4+HrpHkC/vNDjRsHHLI3D:u7Rz

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

OSSPROXY mutex has been found

PREMIEROPINION mutex has been found

RELEVANTKNOWLEDGE mutex has been found

Runs injected code in another process

Application was injected by another process

Change Internet Settings

Actions looks like stealing of personal data

ADWARE has been detected (SURICATA)

OSSPROXY has been detected (SURICATA)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

There is functionality for taking screenshot (YARA)

Start notepad (likely ransomware note)

Searches for installed software

Adds/modifies Windows certificates

Creates a software uninstall entry

Executes as Windows Service

Uses RUNDLL32.EXE to load library

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Potential Corporate Privacy Violation

Connects to unusual port

INFO

Checks proxy server information

The sample compiled with english language support

Reads the machine GUID from the registry

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

Create files in a temporary directory

Process checks computer location settings

Reads the software policy settings

Reads security settings of Internet Explorer

Creates files in the program directory

OSSPROXY has been detected

Disables trace logs

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity