| File name: | FiveM.exe |
| Full analysis: | https://app.any.run/tasks/699e7cdc-0db5-471e-a8c3-c0eda8f52f02 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | October 02, 2024, 18:42:26 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows |
| MD5: | E8C3FD1B35507FA301FAC9367F28757F |
| SHA1: | FD03919C9370248A62C9D540F6CD9FBECCAC09F6 |
| SHA256: | 05A99A0067DDDE35A8B6C92721FC8EE058FFE1CEE9A9DCEB2BAFB1A8E2D92368 |
| SSDEEP: | 98304:kP1CJqKCLt/w7rImQfbiHdj+Qu/3yTVMj9N36V2txB9ROtJgmgwd0ARKZdlXrlEh:6y5uOtOlq |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads security settings of Internet Explorer
- FiveM.exe (PID: 1640)
- GameBar.exe (PID: 4128)
Starts application with an unusual extension
- FiveM.exe (PID: 1640)
- FiveM.exe (PID: 6556)
Starts itself from another location
- CitizenFX.exe.new (PID: 1696)
- FiveM.exe (PID: 3848)
- FiveM.exe (PID: 6556)
Executable content was dropped or overwritten
- FiveM.exe (PID: 1640)
- CitizenFX.exe.new (PID: 1696)
- FiveM.exe (PID: 6556)
- FiveM.exe (PID: 3848)
Process drops legitimate windows executable
- FiveM.exe (PID: 6556)
The process drops C-runtime libraries
- FiveM.exe (PID: 6556)
INFO
Reads the computer name
- FiveM.exe (PID: 1640)
- GameBar.exe (PID: 4128)
Checks supported languages
- FiveM.exe (PID: 1640)
- GameBar.exe (PID: 4128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2023:10:09 08:56:51+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.36 |
| CodeSize: | 3383296 |
| InitializedDataSize: | 1909760 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x28cd20 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.0.0.6775 |
| ProductVersionNumber: | 2.0.0.6775 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Cfx.re |
| FileDescription: | FiveM |
| InternalName: | FiveM |
| FileVersion: | 2.0.0.6775 |
| LegalCopyright: | (C) 2015-2022 Cfx.re |
| OriginalFileName: | CitizenMP.exe |
| ProductName: | FiveM |
| ProductVersion: | 2.0.0.6775 |
Total processes
137
Monitored processes
10
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1640 | "C:\Users\admin\Desktop\FiveM.exe" | C:\Users\admin\Desktop\FiveM.exe | explorer.exe | ||||||||||||
User: admin Company: Cfx.re Integrity Level: MEDIUM Description: FiveM Exit code: 0 Version: 2.0.0.6775 Modules
| |||||||||||||||
| 1696 | CitizenFX.exe.new -bootstrap "C:\Users\admin\Desktop\FiveM.exe" | C:\Users\admin\Desktop\CitizenFX.exe.new | FiveM.exe | ||||||||||||
User: admin Company: Cfx.re Integrity Level: MEDIUM Description: FiveM Exit code: 0 Version: 2.0.0.10011 Modules
| |||||||||||||||
| 3848 | "C:\Users\admin\Desktop\FiveM.exe" | C:\Users\admin\Desktop\FiveM.exe | CitizenFX.exe.new | ||||||||||||
User: admin Company: Cfx.re Integrity Level: MEDIUM Description: FiveM Exit code: 0 Version: 2.0.0.10011 Modules
| |||||||||||||||
| 4128 | "C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe" -ServerName:App.AppXbdkk0yrkwpcgeaem8zk81k8py1eaahny.mca | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 5612 | "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer | C:\Windows\System32\GameBarPresenceWriter.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Gamebar Presence Writer Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5656 | "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer | C:\Windows\System32\GameBarPresenceWriter.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Gamebar Presence Writer Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6360 | "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer | C:\Windows\System32\GameBarPresenceWriter.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Gamebar Presence Writer Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6556 | "C:\Users\admin\AppData\Local\FiveM\FiveM.exe" | C:\Users\admin\AppData\Local\FiveM\FiveM.exe | FiveM.exe | ||||||||||||
User: admin Company: Cfx.re Integrity Level: MEDIUM Description: FiveM Version: 2.0.0.10011 Modules
| |||||||||||||||
| 6688 | "C:\Users\admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer" -dumpserver:2060 -parentpid:6556 | C:\Users\admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer | FiveM.exe | ||||||||||||
User: admin Company: Cfx.re Integrity Level: MEDIUM Description: FiveM Version: 2.0.0.10011 Modules
| |||||||||||||||
| 7020 | "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer | C:\Windows\System32\GameBarPresenceWriter.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Gamebar Presence Writer Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
26 347
Read events
26 285
Write events
62
Delete events
0
Modification events
| (PID) Process: | (1640) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\CitizenFX\FiveM |
| Operation: | write | Name: | Last Run Location |
Value: C:\Users\admin\Desktop\ | |||
| (PID) Process: | (4128) GameBar.exe | Key: | \REGISTRY\A\{25ea3739-49e1-8a4e-7768-b8ecfa983ebd}\LocalState |
| Operation: | write | Name: | InstalledVersionMajor |
Value: 02001A83C5DBFA14DB01 | |||
| (PID) Process: | (4128) GameBar.exe | Key: | \REGISTRY\A\{25ea3739-49e1-8a4e-7768-b8ecfa983ebd}\LocalState |
| Operation: | write | Name: | InstalledVersionMinor |
Value: 22001A83C5DBFA14DB01 | |||
| (PID) Process: | (4128) GameBar.exe | Key: | \REGISTRY\A\{25ea3739-49e1-8a4e-7768-b8ecfa983ebd}\LocalState |
| Operation: | write | Name: | InstalledVersionBuild |
Value: 616D1A83C5DBFA14DB01 | |||
| (PID) Process: | (4128) GameBar.exe | Key: | \REGISTRY\A\{25ea3739-49e1-8a4e-7768-b8ecfa983ebd}\LocalState |
| Operation: | write | Name: | InstalledVersionRevision |
Value: 00001A83C5DBFA14DB01 | |||
| (PID) Process: | (4128) GameBar.exe | Key: | \REGISTRY\A\{25ea3739-49e1-8a4e-7768-b8ecfa983ebd}\LocalState |
| Operation: | write | Name: | PreviousAppTerminationFromSuspended |
Value: 001A83C5DBFA14DB01 | |||
| (PID) Process: | (4128) GameBar.exe | Key: | \REGISTRY\A\{25ea3739-49e1-8a4e-7768-b8ecfa983ebd}\LocalState |
| Operation: | write | Name: | CurrentDisplayMonitor |
Value: 670061006D0065000000E8ADCCDBFA14DB01 | |||
| (PID) Process: | (4128) GameBar.exe | Key: | \REGISTRY\A\{25ea3739-49e1-8a4e-7768-b8ecfa983ebd}\LocalState |
| Operation: | write | Name: | StartupTipIndex |
Value: 0100000000000000C174D1DBFA14DB01 | |||
| (PID) Process: | (4128) GameBar.exe | Key: | \REGISTRY\A\{25ea3739-49e1-8a4e-7768-b8ecfa983ebd}\LocalState |
| Operation: | write | Name: | InstalledVersionMajor |
Value: 02005A0675DDFA14DB01 | |||
| (PID) Process: | (4128) GameBar.exe | Key: | \REGISTRY\A\{25ea3739-49e1-8a4e-7768-b8ecfa983ebd}\LocalState |
| Operation: | write | Name: | InstalledVersionMinor |
Value: 22005A0675DDFA14DB01 | |||
Executable files
416
Suspicious files
156
Text files
231
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1640 | FiveM.exe | C:\Users\admin\Desktop\CitizenFX.exe.new | executable | |
MD5:224E0E23FCD9128FEE27D7ADF59EBBFE | SHA256:389BFA7307679A9875AA41351B942724964BC0ED4763C442D1288FE693782066 | |||
| 1640 | FiveM.exe | C:\Users\admin\Desktop\CitizenFX.exe.new.tmp | executable | |
MD5:224E0E23FCD9128FEE27D7ADF59EBBFE | SHA256:389BFA7307679A9875AA41351B942724964BC0ED4763C442D1288FE693782066 | |||
| 6556 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_chrome.bin.tmp | executable | |
MD5:848E7A9C5C472620C9691716196FF2D8 | SHA256:4EDFE10A41AF080DE42566663DAE4FC80E959592A1F4B250BDF3CB1C0E3413E6 | |||
| 6556 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_1604_aslr.bin.tmp | executable | |
MD5:C56958C9C462EB806B6055B600032077 | SHA256:0550D6EE21AEDBC70ACBBA31487ED0BE73C070DC80B3E1D92DA70E1B4FCB4B9C | |||
| 6556 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_1604_aslr.bin | executable | |
MD5:C56958C9C462EB806B6055B600032077 | SHA256:0550D6EE21AEDBC70ACBBA31487ED0BE73C070DC80B3E1D92DA70E1B4FCB4B9C | |||
| 1696 | CitizenFX.exe.new | C:\Users\admin\Desktop\FiveM.exe.old | executable | |
MD5:E8C3FD1B35507FA301FAC9367F28757F | SHA256:05A99A0067DDDE35A8B6C92721FC8EE058FFE1CEE9A9DCEB2BAFB1A8E2D92368 | |||
| 6556 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\desktop.ini | text | |
MD5:9D2F20E16EC4711FFD07D7BE13BAD063 | SHA256:D6967B5C56EDD0A0D0340663EF91E4BD20981752977590B688B18060E7220682 | |||
| 6556 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM - Cfx.re Development Kit (FxDK).lnk | binary | |
MD5:EAF48D806A2DD4D3639727CC4CF09E46 | SHA256:E33A2EC4ECF2FE7CBE4BD9C1BDE100E9B105D814FF1149D4083CEB8455250A06 | |||
| 6556 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_2612_aslr.bin.tmp | executable | |
MD5:D5465E5E8E9B339F7B0A2D67407D2273 | SHA256:CD530F15E8E6A3A717C141FAAFB8DA242032AF5D1FB542D18DEDF7E4072A8E96 | |||
| 3848 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.exe | executable | |
MD5:224E0E23FCD9128FEE27D7ADF59EBBFE | SHA256:389BFA7307679A9875AA41351B942724964BC0ED4763C442D1288FE693782066 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
325
TCP/UDP connections
40
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3324 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 172.64.153.85:443 | https://content.cfx.re/updates/38/9b/389bfa7307679a9875aa41351b942724964bc0ed4763c442d1288fe693782066.xz | unknown | binary | 1.83 Mb | unknown |
— | — | GET | 200 | 172.64.153.85:443 | https://content.cfx.re/updates/65/4d/654d60def7da2aeb985a373a36ffb71efe0d1f88f68ec82c0ab35da762d8fc06 | unknown | text | 94.3 Kb | unknown |
— | — | GET | 200 | 104.18.34.171:443 | https://content.cfx.re/updates/heads/fivereborn/production?time=1727894563 | unknown | text | 7 b | unknown |
— | — | GET | 200 | 104.18.34.171:443 | https://content.cfx.re/updates/heads/fivereborn/production?time=1727894555 | unknown | text | 7 b | unknown |
— | — | GET | 200 | 104.18.34.171:443 | https://content.cfx.re/updates/heads/fivereborn/production?time=1727894566 | unknown | text | 7 b | unknown |
— | — | GET | 200 | 104.18.34.171:443 | https://content.cfx.re/updates/4e/df/4edfe10a41af080de42566663dae4fc80e959592a1f4b250bdf3cb1c0e3413e6.xz | unknown | binary | 128 Kb | unknown |
— | — | GET | 200 | 172.64.153.85:443 | https://content.cfx.re/updates/heads/fivereborn/production?time=1727894564 | unknown | text | 7 b | unknown |
— | — | POST | 200 | 20.189.173.12:443 | https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-CJS-1.2.0&x-apikey=33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176 | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3324 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1640 | FiveM.exe | 104.18.34.171:443 | content.cfx.re | CLOUDFLARENET | — | unknown |
2120 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3324 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3324 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
content.cfx.re |
| unknown |
www.microsoft.com |
| whitelisted |
browser.pipe.aria.microsoft.com |
| whitelisted |
sentry.fivem.net |
| whitelisted |
Threats
Process | Message |
|---|---|
FiveM_b2699_DumpServer | DumpServer is active and waiting.
|