File name:

Grand_Theft_Auto_V.exe

Full analysis: https://app.any.run/tasks/68b4c0a3-ff56-4347-96a3-42a6f8b74f1c
Verdict: Malicious activity
Analysis date: April 22, 2024, 20:57:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1B76A21E20BF2D7033E8855983032223

SHA1:

D433C64A2C387E37BB68BC5D6356E4C20E45E52F

SHA256:

D98731BBAE8DAB5DE30C091946AD9A80D8EDD1CCD801A8ACCB63E4591E568D4E

SSDEEP:

98304:qsQ44gdhpHKfhTb9EK+2we8ZR9EiYoI+6zfuMaEDnwoAcd1973LqhYArKnwxhtiC:0iDgNPKAD15+9nXMOWb9Xi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3664)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3664)

    • Changes powershell execution policy (Bypass)

      • [Grand_Theft_Auto_V - Game PC].exe (PID: 3384)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • Executable content was dropped or overwritten

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • Process drops legitimate windows executable

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • Drops 7-zip archiver for unpacking

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • Reads the Internet Settings

      • Grand_Theft_Auto_V.exe (PID: 3768)
      • [Grand_Theft_Auto_V - Game PC].exe (PID: 3384)

    • Reads security settings of Internet Explorer

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • Starts POWERSHELL.EXE for commands execution

      • [Grand_Theft_Auto_V - Game PC].exe (PID: 3384)

  • INFO

    • Checks supported languages

      • Grand_Theft_Auto_V.exe (PID: 3768)
      • [Grand_Theft_Auto_V - Game PC].exe (PID: 3384)

    • Reads the computer name

      • Grand_Theft_Auto_V.exe (PID: 3768)
      • [Grand_Theft_Auto_V - Game PC].exe (PID: 3384)

    • Create files in a temporary directory

      • Grand_Theft_Auto_V.exe (PID: 3768)

    • Reads the machine GUID from the registry

      • [Grand_Theft_Auto_V - Game PC].exe (PID: 3384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:16 12:31:25+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 208384
InitializedDataSize: 262144
UninitializedDataSize: -
EntryPoint: 0x205e0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start grand_theft_auto_v.exe [grand_theft_auto_v - game pc].exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3384"C:\Users\admin\AppData\Local\Temp\RarSFX0\[Grand_Theft_Auto_V - Game PC].exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\[Grand_Theft_Auto_V - Game PC].exeGrand_Theft_Auto_V.exe
User:
admin
Company:
YL Computing
Integrity Level:
MEDIUM
Description:
imDesktop
Exit code:
3221225547
Version:
1.3.2.0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\[grand_theft_auto_v - game pc].exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3664"powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe[Grand_Theft_Auto_V - Game PC].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3768"C:\Users\admin\Downloads\Grand_Theft_Auto_V.exe" C:\Users\admin\Downloads\Grand_Theft_Auto_V.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\grand_theft_auto_v.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
6 129
Read events
6 117
Write events
11
Delete events
1

Modification events

(PID) Process:(3768) Grand_Theft_Auto_V.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3768) Grand_Theft_Auto_V.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3768) Grand_Theft_Auto_V.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3768) Grand_Theft_Auto_V.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3384) [Grand_Theft_Auto_V - Game PC].exeKey:HKEY_CURRENT_USER\Software\imDesktop\Registration
Operation:writeName:UsedTimes
Value:
1
(PID) Process:(3384) [Grand_Theft_Auto_V - Game PC].exeKey:HKEY_CURRENT_USER\Software\imDesktop\Registration
Operation:writeName:FirstRunTime
Value:
4/22/2024 9:57:25 PM
(PID) Process:(3384) [Grand_Theft_Auto_V - Game PC].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
[Grand_Theft_Auto_V - Game PC].exe
(PID) Process:(3384) [Grand_Theft_Auto_V - Game PC].exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{C8C9E113-A22C-4E19-B054-75962DF96BBE}
Operation:delete keyName:(default)
Value:
Executable files
9
Suspicious files
3
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\MetroAssets
MD5:
SHA256:
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\[Grand_Theft_Auto_V - Game PC].exeexecutable
MD5:79B862F83A5BFA3FB5011CABF9D47A63
SHA256:3CA1410D20BFD9CD35C8F9B21D2958C6973E608CAEDD726A01199CDF747B3CD7
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Microsoft.WindowsAPICodePack.dllexecutable
MD5:ACE419174E1E0C792D028F25F60D6E5F
SHA256:90D56B0A1C7E631E5A12985F9B7CC943A1EBC31E40EC53D56DC9149BBA74BA24
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Hardcodet.Wpf.TaskbarNotification.dllexecutable
MD5:D5D708E9E7625AB2C4AC1C1FAA099350
SHA256:F6FADF0375D22512B2B3F075362433C0DE173ADFB290B4D8999CDCB7ACEDB0B2
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\MahApps.Metro.dllexecutable
MD5:D0875DF0EFA5AA164ED3A1572CBAD9DC
SHA256:3EA99C14E2B2366DF2EE1281744F18B031E6CB0F7D98EFCCADA8A98D86821D29
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\wdmode.exeexecutable
MD5:42BADC1D2F03A8B1E4875740D3D49336
SHA256:C136B1467D669A725478A6110EBAAAB3CB88A3D389DFA688E06173C066B76FCF
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\YLLibs.dllexecutable
MD5:3744D4FD7BA093923174696B56D05F9F
SHA256:3101A828D70C878E777A15EBB522B6A2F82E30FB2217CE66DF0F161A57656301
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\ZoneListtext
MD5:CD9447EF8116A3103E002DC719B21F7C
SHA256:1E6DB4581F3290E40ADAC1F4548B82D0A3A961ED01CC137B2BFB38B379E50AC2
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Microsoft.WindowsAPICodePack.Shell.dllexecutable
MD5:18A46202A1636B985208E2183D756617
SHA256:513D386FC084AD355D1A8668D8B4E43CC3B21F135AC3EABBC6B96ADEB3EE9E84
3768Grand_Theft_Auto_V.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\System.Windows.Interactivity.dllexecutable
MD5:E991D47605BC04629AF29939AC2CC9B5
SHA256:EDA12487C479FF31202A3C60F88F1F0E2BF7392919099315D0D951683F14609C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Grand_Theft_Auto_V.exe