File name:

GenP3.0Release.zip

Full analysis: https://app.any.run/tasks/c49615d8-80f4-4583-86d6-0a0b7803978f
Verdict: Malicious activity
Analysis date: June 27, 2025, 17:35:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
arch-doc
autoit
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

F78A9965B1EF6FB2ED878D3E9A4C2AF3

SHA1:

0B0C502A5079B2357E0D330427DEB4D5B24EF071

SHA256:

BA734CEA2D9B594B4028E94F7A396F0380FBDDE68DF026B5BD26D00A3F067C81

SSDEEP:

98304:0lRgEGmPg0ipktIzHh38s8ofc3Br9eLJkouhNv1TFARiNx:0jgzmPg0ipDLms8eMJ9eLRsv1q8f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6428)

    • Changes powershell execution policy (RemoteSigned)

      • cmd.exe (PID: 4820)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4112)
      • powershell.exe (PID: 2780)
      • powershell.exe (PID: 2212)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 4112)

  • SUSPICIOUS

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 2732)
      • cmd.exe (PID: 4820)
      • net.exe (PID: 3620)
      • net.exe (PID: 4800)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4820)
      • powershell.exe (PID: 4112)

    • The process executes Powershell scripts

      • cmd.exe (PID: 4820)
      • powershell.exe (PID: 4112)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 4112)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 4112)

    • Application launched itself

      • powershell.exe (PID: 4112)

    • There is functionality for taking screenshot (YARA)

      • Adobe-GenP-3.0.exe (PID: 4444)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6428)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 6428)
      • mshta.exe (PID: 3668)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 6428)
      • mshta.exe (PID: 3668)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 3668)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 2732)
      • Adobe-GenP-3.0.exe (PID: 2432)
      • Adobe-GenP-3.0.exe (PID: 4444)
      • RunMe.exe (PID: 6128)
      • RunMe.exe (PID: 7136)
      • NSudo.exe (PID: 1700)
      • NSudo.exe (PID: 2124)
      • powershell.exe (PID: 4112)
      • powershell.exe (PID: 2780)

    • Checks supported languages

      • mode.com (PID: 4916)
      • mode.com (PID: 3932)
      • Adobe-GenP-3.0.exe (PID: 4444)
      • RunMe.exe (PID: 6128)
      • NSudo.exe (PID: 2124)
      • MpCmdRun.exe (PID: 5564)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 3668)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 4916)
      • mode.com (PID: 3932)

    • Reads mouse settings

      • Adobe-GenP-3.0.exe (PID: 4444)
      • RunMe.exe (PID: 6128)

    • Reads the computer name

      • NSudo.exe (PID: 2124)
      • Adobe-GenP-3.0.exe (PID: 4444)
      • MpCmdRun.exe (PID: 5564)

    • The process uses AutoIt

      • Adobe-GenP-3.0.exe (PID: 4444)

    • Checks proxy server information

      • slui.exe (PID: 5284)
      • mshta.exe (PID: 3668)

    • Reads the software policy settings

      • slui.exe (PID: 5284)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6428)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6428)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 5564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:01:07 00:22:38
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: GenP 3.0 Release/Adobe GenP 3.0/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
29
Malicious processes
2
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe cmd.exe no specs conhost.exe no specs mode.com no specs net.exe no specs net1.exe no specs mshta.exe no specs cmd.exe conhost.exe no specs mode.com no specs net.exe no specs net1.exe no specs powershell.exe no specs adobe-genp-3.0.exe no specs adobe-genp-3.0.exe runme.exe no specs runme.exe nsudo.exe no specs nsudo.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs slui.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1652C:\WINDOWS\system32\net1 session C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
1700"C:\Users\admin\Desktop\NSudo.exe" C:\Users\admin\Desktop\NSudo.exeexplorer.exe
User:
admin
Company:
M2-Team
Integrity Level:
MEDIUM
Description:
NSudo Launcher
Exit code:
3221226540
Version:
8.2.0.0
Modules
Images
c:\users\admin\desktop\nsudo.exe
c:\windows\system32\ntdll.dll
2124"C:\Users\admin\Desktop\NSudo.exe" C:\Users\admin\Desktop\NSudo.exe
explorer.exe
User:
admin
Company:
M2-Team
Integrity Level:
HIGH
Description:
NSudo Launcher
Version:
8.2.0.0
Modules
Images
c:\users\admin\desktop\nsudo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2212"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\admin\Desktop\import.ps1" " Hosts Block - CCStopper Portable Module" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2432"C:\Users\admin\Desktop\Adobe-GenP-3.0.exe" C:\Users\admin\Desktop\Adobe-GenP-3.0.exeexplorer.exe
User:
admin
Company:
2.0.0
Integrity Level:
MEDIUM
Description:
Adobe-GenP-3.0
Exit code:
3221226540
Version:
2.0.0.0
Modules
Images
c:\users\admin\desktop\adobe-genp-3.0.exe
c:\windows\system32\ntdll.dll
2732C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Patch.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2780"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\import.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3620net session C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3668mshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd","/c C:\Users\admin\Desktop\Patch.bat ::","","runas",1)(window.close)C:\Windows\System32\mshta.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
Total events
23 505
Read events
23 491
Write events
14
Delete events
0

Modification events

(PID) Process:(6428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\GenP3.0Release.zip
(PID) Process:(6428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3668) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3668) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
5
Suspicious files
10
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
3780powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:7B21DA14090CA93C434A43FEF83EED67
SHA256:40F464334A7763BFC5278AEF59431C9C2952C9C4BB63AA0B2E4A15D4FA22C493
4112powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PTNA2SVOK1OJK2OXPYMA.tempbinary
MD5:C8EFE8A8C1D596DBD15C966107FABFAE
SHA256:902B93660E233D90A1B7C6F1997C3AD602F79FEAD3CC46A9D927BF6167FE3DC3
4112powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_efc14zdp.1qp.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4112powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:C8EFE8A8C1D596DBD15C966107FABFAE
SHA256:902B93660E233D90A1B7C6F1997C3AD602F79FEAD3CC46A9D927BF6167FE3DC3
4112powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF178194.TMPbinary
MD5:00A03B286E6E0EBFF8D9C492365D5EC2
SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
2780powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:7E1BE7913AAF01DEE6D89055C93B99CC
SHA256:00DBA3E06A95F48DB54E05124A2779CC6D946AA7822922BED10944834A67A4B7
4112powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mtc5ur1u.o0p.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2780powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF178618.TMPbinary
MD5:C8EFE8A8C1D596DBD15C966107FABFAE
SHA256:902B93660E233D90A1B7C6F1997C3AD602F79FEAD3CC46A9D927BF6167FE3DC3
2780powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4VWPDZBTE4GBN3IS9ZA6.tempbinary
MD5:7E1BE7913AAF01DEE6D89055C93B99CC
SHA256:00DBA3E06A95F48DB54E05124A2779CC6D946AA7822922BED10944834A67A4B7
2212powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4JS09VKHGLKITXKRIKEW.tempbinary
MD5:683A811ECE83D90B486B0900AC463B86
SHA256:7C5A8CF366BA63FAD34BC1606125FD0FDCF039B150EDF83E3264E94BC4529C67
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6404
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6404
RUXIMICS.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6404
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6404
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6404
RUXIMICS.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 20.189.173.25
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GenP3.0Release.zip