File name:

GTA_8.5.exe

Full analysis: https://app.any.run/tasks/8bd233d6-d8d4-4d8e-86ea-aac99285407c
Verdict: Malicious activity
Analysis date: June 02, 2025, 16:40:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pyinstaller
python
auto-startup
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

B3E8BFBA4FE5BC235B65249C4AAAE93C

SHA1:

E88E6D6FED012E6113F226D5F5A4AEC900F5EEAF

SHA256:

900E87A1A6CC96A8F33CC6691BE946B4F764CC2BE68168EB2F327DD0CB5457D0

SSDEEP:

98304:LEWBCOpQMC2xumzy7264jHPwIAfxBKhWnXZLvbN+pl89blvtVlsSihbIa47TUj1f:jQEEPpIfKA0Ls85VB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • GTA_8.5.exe (PID: 2416)

    • Runs injected code in another process

      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 8084)

    • Application was injected by another process

      • csrss.exe (PID: 5824)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)

    • The process drops C-runtime libraries

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)

    • Process drops python dynamic module

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)

    • There is functionality for taking screenshot (YARA)

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)
      • GTA_8.5.exe (PID: 8084)
      • GTA_8.5.exe (PID: 2416)

    • Executable content was dropped or overwritten

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 2868)

    • Application launched itself

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)

    • Loads Python modules

      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 8084)

    • Starts CMD.EXE for commands execution

      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 8084)

  • INFO

    • Checks supported languages

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 2868)
      • GTA_8.5.exe (PID: 8084)

    • Reads the computer name

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)
      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 8084)

    • Create files in a temporary directory

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)

    • PyInstaller has been detected (YARA)

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)
      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 8084)

    • The sample compiled with english language support

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)

    • Manual execution by a user

      • GTA_8.5.exe (PID: 2868)

    • Checks operating system version

      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 8084)

    • Creates files or folders in the user directory

      • GTA_8.5.exe (PID: 2416)

    • Launch of the file from Startup directory

      • GTA_8.5.exe (PID: 2416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:07 14:15:30+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 168960
InitializedDataSize: 361984
UninitializedDataSize: -
EntryPoint: 0xc0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start gta_8.5.exe gta_8.5.exe cmd.exe no specs conhost.exe no specs gta_8.5.exe slui.exe gta_8.5.exe no specs cmd.exe no specs conhost.exe no specs csrss.exe

Process information

PID
CMD
Path
Indicators
Parent process
1452\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2416"C:\Users\admin\Desktop\GTA_8.5.exe" C:\Users\admin\Desktop\GTA_8.5.exe
GTA_8.5.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\gta_8.5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2868"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GTA_8.5.exe"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GTA_8.5.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\gta_8.5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5824%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
6032"C:\Users\admin\Desktop\GTA_8.5.exe" C:\Users\admin\Desktop\GTA_8.5.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\gta_8.5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6456C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exeGTA_8.5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
7688C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8084"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GTA_8.5.exe"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GTA_8.5.exeGTA_8.5.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\gta_8.5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
8116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8144C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exeGTA_8.5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 841
Read events
3 841
Write events
0
Delete events
0

Modification events

No data
Executable files
39
Suspicious files
2
Text files
1 840
Unknown types
4

Dropped files

PID
Process
Filename
Type
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\VCRUNTIME140_1.dllexecutable
MD5:F8DFA78045620CF8A732E67D1B1EB53D
SHA256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\VCRUNTIME140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\_ctypes.pydexecutable
MD5:565D011CE1CEE4D48E722C7421300090
SHA256:C148292328F0AAB7863AF82F54F613961E7CB95B7215F7A81CAFAF45BD4C42B7
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\_decimal.pydexecutable
MD5:C88282908BA54510EDA3887C488198EB
SHA256:980A63F2B39CF16910F44384398E25F24482346A482ADDB00DE42555B17D4278
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\_bz2.pydexecutable
MD5:AA1083BDE6D21CABFC630A18F51B1926
SHA256:00B8CA9A338D2B47285C9E56D6D893DB2A999B47216756F18439997FB80A56E3
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\base_library.zipcompressed
MD5:BEC1BFD6F5C778536E45FF0208BAEEB8
SHA256:A9D7FA44E1CC77E53F453BF1CA8ABA2A9582A842606A4E182C65B88B616B1A17
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\libcrypto-3.dllexecutable
MD5:E547CF6D296A88F5B1C352C116DF7C0C
SHA256:05FE080EAB7FC535C51E10C1BD76A2F3E6217F9C91A25034774588881C3F99DE
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\select.pydexecutable
MD5:E4AB524F78A4CF31099B43B35D2FAEC3
SHA256:BAE0974390945520EB99AB32486C6A964691F8F4A028AC408D98FA8FB0DB7D90
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\_tkinter.pydexecutable
MD5:730C89FC98ADE903787589A935AEB36D
SHA256:6F7BDC2F60A1795B58EC7015EC262D6B234AA8D0F022185DE0F52BAC4ADAB449
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\libffi-8.dllexecutable
MD5:0F8E4992CA92BAAF54CC0B43AACCCE21
SHA256:EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5260
RUXIMICS.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7292
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7292
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5260
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7292
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5260
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7292
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
5260
RUXIMICS.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
7292
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
5260
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7292
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GTA_8.5.exe