File name:

Grand_Theft_Auto_V.exe

Full analysis: https://app.any.run/tasks/68b4c0a3-ff56-4347-96a3-42a6f8b74f1c
Verdict: Malicious activity
Analysis date: April 22, 2024, 20:57:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1B76A21E20BF2D7033E8855983032223

SHA1:

D433C64A2C387E37BB68BC5D6356E4C20E45E52F

SHA256:

D98731BBAE8DAB5DE30C091946AD9A80D8EDD1CCD801A8ACCB63E4591E568D4E

SSDEEP:

98304:qsQ44gdhpHKfhTb9EK+2we8ZR9EiYoI+6zfuMaEDnwoAcd1973LqhYArKnwxhtiC:0iDgNPKAD15+9nXMOWb9Xi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3664)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3664)

    • Changes powershell execution policy (Bypass)

      • [Grand_Theft_Auto_V - Game PC].exe (PID: 3384)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • The process creates files with name similar to system file names

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • Drops 7-zip archiver for unpacking

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • Reads security settings of Internet Explorer

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • Executable content was dropped or overwritten

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • Reads the Internet Settings

      • Grand_Theft_Auto_V.exe (PID: 3768)
      • [Grand_Theft_Auto_V - Game PC].exe (PID: 3384)

    • Starts POWERSHELL.EXE for commands execution

      • [Grand_Theft_Auto_V - Game PC].exe (PID: 3384)

  • INFO

    • Reads the computer name

      • Grand_Theft_Auto_V.exe (PID: 3768)
      • [Grand_Theft_Auto_V - Game PC].exe (PID: 3384)

    • Checks supported languages

      • Grand_Theft_Auto_V.exe (PID: 3768)
      • [Grand_Theft_Auto_V - Game PC].exe (PID: 3384)

    • Create files in a temporary directory

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • Reads the machine GUID from the registry

      • [Grand_Theft_Auto_V - Game PC].exe (PID: 3384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:16 12:31:25+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 208384
InitializedDataSize: 262144
UninitializedDataSize: -
EntryPoint: 0x205e0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start grand_theft_auto_v.exe [grand_theft_auto_v - game pc].exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3384"C:\Users\admin\AppData\Local\Temp\RarSFX0\[Grand_Theft_Auto_V - Game PC].exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\[Grand_Theft_Auto_V - Game PC].exeGrand_Theft_Auto_V.exe
User:
admin
Company:
YL Computing
Integrity Level:
MEDIUM
Description:
imDesktop
Exit code:
3221225547
Version:
1.3.2.0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\[grand_theft_auto_v - game pc].exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3664"powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe[Grand_Theft_Auto_V - Game PC].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3768"C:\Users\admin\Downloads\Grand_Theft_Auto_V.exe" C:\Users\admin\Downloads\Grand_Theft_Auto_V.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\grand_theft_auto_v.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
6 129
Read events
6 117
Write events
11
Delete events
1

Modification events

(PID) Process:(3768) Grand_Theft_Auto_V.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3768) Grand_Theft_Auto_V.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3768) Grand_Theft_Auto_V.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3768) Grand_Theft_Auto_V.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3384) [Grand_Theft_Auto_V - Game PC].exeKey:HKEY_CURRENT_USER\Software\imDesktop\Registration
Operation:writeName:UsedTimes
Value:
1
(PID) Process:(3384) [Grand_Theft_Auto_V - Game PC].exeKey:HKEY_CURRENT_USER\Software\imDesktop\Registration
Operation:writeName:FirstRunTime
Value:
4/22/2024 9:57:25 PM
(PID) Process:(3384) [Grand_Theft_Auto_V - Game PC].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
[Grand_Theft_Auto_V - Game PC].exe
(PID) Process:(3384) [Grand_Theft_Auto_V - Game PC].exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{C8C9E113-A22C-4E19-B054-75962DF96BBE}
Operation:delete keyName:(default)
Value:
Executable files
9
Suspicious files
3
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\MetroAssets
MD5:
SHA256:
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Hardcodet.Wpf.TaskbarNotification.dllexecutable
MD5:D5D708E9E7625AB2C4AC1C1FAA099350
SHA256:F6FADF0375D22512B2B3F075362433C0DE173ADFB290B4D8999CDCB7ACEDB0B2
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Microsoft.WindowsAPICodePack.Shell.dllexecutable
MD5:18A46202A1636B985208E2183D756617
SHA256:513D386FC084AD355D1A8668D8B4E43CC3B21F135AC3EABBC6B96ADEB3EE9E84
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\[Grand_Theft_Auto_V - Game PC].exeexecutable
MD5:79B862F83A5BFA3FB5011CABF9D47A63
SHA256:3CA1410D20BFD9CD35C8F9B21D2958C6973E608CAEDD726A01199CDF747B3CD7
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\wdmode.exeexecutable
MD5:42BADC1D2F03A8B1E4875740D3D49336
SHA256:C136B1467D669A725478A6110EBAAAB3CB88A3D389DFA688E06173C066B76FCF
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\lang\English.pngimage
MD5:00214D9E4E6155A04E3997D121641C98
SHA256:1037BB804C8DA171FB1869872BCD24AA1F0C96AD8CE783861DFF91D3174D12A7
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\lang\Chinese(Simplified).pngimage
MD5:18BD6697BC44BCFAA606AEC883FDF1C4
SHA256:3705C17E9A6CF982234898D0269B94427FB3B1978BECE5CF4F3A6C3BF518DA70
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\ControlzEx.dllexecutable
MD5:2D5035CB5A3678F2C2F5A889BD384813
SHA256:424CBE8F24A62C330149DBE0B80E214A984950C3B79B067058671608229FC2ED
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\System.Windows.Interactivity.dllexecutable
MD5:E991D47605BC04629AF29939AC2CC9B5
SHA256:EDA12487C479FF31202A3C60F88F1F0E2BF7392919099315D0D951683F14609C
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\MahApps.Metro.dllexecutable
MD5:D0875DF0EFA5AA164ED3A1572CBAD9DC
SHA256:3EA99C14E2B2366DF2EE1281744F18B031E6CB0F7D98EFCCADA8A98D86821D29
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Grand_Theft_Auto_V.exe