File name:

GTA_8.5.exe

Full analysis: https://app.any.run/tasks/8bd233d6-d8d4-4d8e-86ea-aac99285407c
Verdict: Malicious activity
Analysis date: June 02, 2025, 16:40:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pyinstaller
python
auto-startup
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

B3E8BFBA4FE5BC235B65249C4AAAE93C

SHA1:

E88E6D6FED012E6113F226D5F5A4AEC900F5EEAF

SHA256:

900E87A1A6CC96A8F33CC6691BE946B4F764CC2BE68168EB2F327DD0CB5457D0

SSDEEP:

98304:LEWBCOpQMC2xumzy7264jHPwIAfxBKhWnXZLvbN+pl89blvtVlsSihbIa47TUj1f:jQEEPpIfKA0Ls85VB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • GTA_8.5.exe (PID: 2416)

    • Runs injected code in another process

      • GTA_8.5.exe (PID: 8084)
      • GTA_8.5.exe (PID: 2416)

    • Application was injected by another process

      • csrss.exe (PID: 5824)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)

    • Process drops python dynamic module

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)

    • The process drops C-runtime libraries

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)

    • Starts CMD.EXE for commands execution

      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 8084)

    • There is functionality for taking screenshot (YARA)

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 8084)
      • GTA_8.5.exe (PID: 2868)

    • Loads Python modules

      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 8084)

    • Executable content was dropped or overwritten

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)
      • GTA_8.5.exe (PID: 2416)

    • Application launched itself

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)

  • INFO

    • Checks supported languages

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 2868)
      • GTA_8.5.exe (PID: 8084)

    • Reads the computer name

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 2868)
      • GTA_8.5.exe (PID: 8084)

    • PyInstaller has been detected (YARA)

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 8084)
      • GTA_8.5.exe (PID: 2868)

    • Checks operating system version

      • GTA_8.5.exe (PID: 2416)
      • GTA_8.5.exe (PID: 8084)

    • Create files in a temporary directory

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)

    • Creates files or folders in the user directory

      • GTA_8.5.exe (PID: 2416)

    • Launch of the file from Startup directory

      • GTA_8.5.exe (PID: 2416)

    • The sample compiled with english language support

      • GTA_8.5.exe (PID: 6032)
      • GTA_8.5.exe (PID: 2868)

    • Manual execution by a user

      • GTA_8.5.exe (PID: 2868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:07 14:15:30+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 168960
InitializedDataSize: 361984
UninitializedDataSize: -
EntryPoint: 0xc0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start gta_8.5.exe gta_8.5.exe cmd.exe no specs conhost.exe no specs gta_8.5.exe slui.exe gta_8.5.exe no specs cmd.exe no specs conhost.exe no specs csrss.exe

Process information

PID
CMD
Path
Indicators
Parent process
1452\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2416"C:\Users\admin\Desktop\GTA_8.5.exe" C:\Users\admin\Desktop\GTA_8.5.exe
GTA_8.5.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\gta_8.5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2868"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GTA_8.5.exe"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GTA_8.5.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\gta_8.5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5824%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
6032"C:\Users\admin\Desktop\GTA_8.5.exe" C:\Users\admin\Desktop\GTA_8.5.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\gta_8.5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6456C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exeGTA_8.5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
7688C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8084"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GTA_8.5.exe"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GTA_8.5.exeGTA_8.5.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\gta_8.5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
8116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8144C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exeGTA_8.5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 841
Read events
3 841
Write events
0
Delete events
0

Modification events

No data
Executable files
39
Suspicious files
2
Text files
1 840
Unknown types
4

Dropped files

PID
Process
Filename
Type
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\python311.dllexecutable
MD5:387BB2C1E40BDE1517F06B46313766BE
SHA256:0817A2A657A24C0D5FBB60DF56960F42FC66B3039D522EC952DAB83E2D869364
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\VCRUNTIME140_1.dllexecutable
MD5:F8DFA78045620CF8A732E67D1B1EB53D
SHA256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\_ctypes.pydexecutable
MD5:565D011CE1CEE4D48E722C7421300090
SHA256:C148292328F0AAB7863AF82F54F613961E7CB95B7215F7A81CAFAF45BD4C42B7
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\_socket.pydexecutable
MD5:B77017BAA2004833EF3847A3A3141280
SHA256:A19E3C7C03EF1B5625790B1C9C42594909311AB6DF540FBF43C6AA93300AB166
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\_queue.pydexecutable
MD5:7F52EF40B083F34FD5E723E97B13382F
SHA256:3F8E7E6AA13B417ACC78B63434FB1144E6319A010A9FC376C54D6E69B638FE4C
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\VCRUNTIME140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\_lzma.pydexecutable
MD5:B86B9F292AF12006187EBE6C606A377D
SHA256:F5E01B516C2C23035F7703E23569DEC26C5616C05A929B2580AE474A5C6722C5
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\_bz2.pydexecutable
MD5:AA1083BDE6D21CABFC630A18F51B1926
SHA256:00B8CA9A338D2B47285C9E56D6D893DB2A999B47216756F18439997FB80A56E3
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\_decimal.pydexecutable
MD5:C88282908BA54510EDA3887C488198EB
SHA256:980A63F2B39CF16910F44384398E25F24482346A482ADDB00DE42555B17D4278
6032GTA_8.5.exeC:\Users\admin\AppData\Local\Temp\_MEI60322\base_library.zipcompressed
MD5:BEC1BFD6F5C778536E45FF0208BAEEB8
SHA256:A9D7FA44E1CC77E53F453BF1CA8ABA2A9582A842606A4E182C65B88B616B1A17
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5260
RUXIMICS.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7292
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5260
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7292
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7292
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5260
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7292
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
5260
RUXIMICS.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
7292
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
5260
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7292
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GTA_8.5.exe