URL:

https://github.com/crandd1/FiveM-Spoofer/raw/refs/heads/main/CFXBypass.exe

Full analysis: https://app.any.run/tasks/254baaab-09f4-46fd-96f0-7fde0928e17f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 22, 2026, 20:21:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
auto
brat
loader
pastebin
stealer
telegram
santastealer
Indicators:
MD5:

0F06C7F6C4F4FFAF37777FC514E51F1A

SHA1:

749E8B2D5EAFF376676F648A6F8858FFA357AC31

SHA256:

16C1171363F76E25E774D4777B1AE0837F4B2A9E3CEAB86B2CA264978BB81B91

SSDEEP:

3:N8tEd2X3BBgKDAXRLNKknhn:2ugX34tXRLNKuh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BRAT has been found (auto)

      • chrome.exe (PID: 9068)
      • chrome.exe (PID: 2600)

    • Changes settings of System certificates

      • CFXBypass.exe (PID: 2572)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 5208)
      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Changes Windows Defender settings

      • cmd.exe (PID: 5208)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4372)
      • powershell.exe (PID: 8844)
      • powershell.exe (PID: 7844)

    • Adds path to the Windows Defender exclusion list

      • 5c49778797304da40.exe (PID: 5012)
      • cmd.exe (PID: 5208)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4372)
      • powershell.exe (PID: 8844)
      • powershell.exe (PID: 7844)

    • Steals credentials from Web Browsers

      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Actions looks like stealing of personal data

      • temp_executable.exe (PID: 6924)
      • temp_executable.exe (PID: 6300)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 8844)
      • powershell.exe (PID: 7844)

    • SANTASTEALER has been detected

      • powershell.exe (PID: 7844)
      • powershell.exe (PID: 8844)

    • Uses Task Scheduler to autorun other applications

      • powershell.exe (PID: 7844)
      • powershell.exe (PID: 8844)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 8844)
      • powershell.exe (PID: 7844)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 8844)
      • powershell.exe (PID: 7844)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 7844)
      • powershell.exe (PID: 8844)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • CFXBypass.exe (PID: 2572)
      • cmd.exe (PID: 5208)
      • temp_executable.exe (PID: 6924)
      • temp_executable.exe (PID: 6300)

    • Adds/modifies Windows certificates

      • CFXBypass.exe (PID: 2572)

    • Executable content was dropped or overwritten

      • CFXBypass.exe (PID: 2572)
      • 5c49778797304da40.exe (PID: 5012)
      • powershell.exe (PID: 8844)

    • Reads the date of Windows installation

      • 5c49778797304da40.exe (PID: 5012)
      • temp_executable.exe (PID: 6924)
      • temp_executable.exe (PID: 6300)

    • Starts CMD.EXE for commands execution

      • 5c49778797304da40.exe (PID: 5012)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5208)

    • Get information on the list of running processes

      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Creates file in the systems drive root

      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 5208)

    • Possible stealing from crypto wallets

      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Browser headless start

      • chrome.exe (PID: 8296)
      • msedge.exe (PID: 7028)
      • firefox.exe (PID: 9032)
      • chrome.exe (PID: 6444)
      • msedge.exe (PID: 1232)
      • firefox.exe (PID: 6624)

    • Possible stealing of messenger data

      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Executes application which crashes

      • msedge.exe (PID: 1232)
      • msedge.exe (PID: 7028)
      • chrome.exe (PID: 6444)
      • chrome.exe (PID: 8296)

    • Possible stealing of VPN data

      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Possible stealing of FTP data

      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • BASE64 encoded PowerShell command has been detected

      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Base64-obfuscated command line is found

      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Uses ATTRIB.EXE to modify file attributes

      • powershell.exe (PID: 7844)
      • powershell.exe (PID: 8844)

    • Uses REG/REGEDIT.EXE to modify registry

      • powershell.exe (PID: 7844)
      • powershell.exe (PID: 8844)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8844)
      • powershell.exe (PID: 7844)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 8844)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 8844)
      • powershell.exe (PID: 7844)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 9068)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2600)
      • chrome.exe (PID: 9068)

    • Launching a file from the Downloads directory

      • chrome.exe (PID: 9068)

    • Manual execution by a user

      • CFXBypass.exe (PID: 2572)

    • Drops script file

      • CFXBypass.exe (PID: 2572)
      • powershell.exe (PID: 8856)
      • powershell.exe (PID: 4372)
      • powershell.exe (PID: 7924)
      • powershell.exe (PID: 7424)
      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)
      • powershell.exe (PID: 8844)
      • powershell.exe (PID: 7844)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • CFXBypass.exe (PID: 2572)

    • Checks supported languages

      • CFXBypass.exe (PID: 2572)
      • 5c49778797304da40.exe (PID: 5012)
      • temp_executable.exe (PID: 6924)
      • temp_executable.exe (PID: 6300)

    • Reads the computer name

      • CFXBypass.exe (PID: 2572)
      • 5c49778797304da40.exe (PID: 5012)
      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Reads the machine GUID from the registry

      • CFXBypass.exe (PID: 2572)
      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Creates files or folders in the user directory

      • CFXBypass.exe (PID: 2572)
      • 5c49778797304da40.exe (PID: 5012)
      • WerFault.exe (PID: 7508)
      • WerFault.exe (PID: 4876)

    • Process checks computer location settings

      • 5c49778797304da40.exe (PID: 5012)
      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Reads security settings of Internet Explorer

      • 5c49778797304da40.exe (PID: 5012)
      • temp_executable.exe (PID: 6924)
      • temp_executable.exe (PID: 6300)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4372)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4372)

    • Reads CPU info

      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Reads Environment values

      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Reads product name

      • temp_executable.exe (PID: 6300)
      • temp_executable.exe (PID: 6924)

    • Checks proxy server information

      • WerFault.exe (PID: 4876)
      • WerFault.exe (PID: 7508)
      • powershell.exe (PID: 8844)
      • powershell.exe (PID: 7844)
      • slui.exe (PID: 2016)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 8844)
      • powershell.exe (PID: 7844)

    • Disables trace logs

      • powershell.exe (PID: 8844)
      • powershell.exe (PID: 7844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
235
Monitored processes
71
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BRAT chrome.exe chrome.exe no specs chrome.exe no specs #BRAT chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cfxbypass.exe conhost.exe no specs powershell.exe no specs 5c49778797304da40.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs temp_executable.exe temp_executable.exe powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs chrome.exe msedge.exe firefox.exe msedge.exe firefox.exe chrome.exe slui.exe werfault.exe no specs werfault.exe werfault.exe no specs werfault.exe #SANTASTEALER powershell.exe conhost.exe no specs #SANTASTEALER powershell.exe conhost.exe no specs attrib.exe no specs attrib.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs attrib.exe no specs attrib.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
748"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=6116,i,4441342359609144761,13996734253546870829,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=5992 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1080C:\WINDOWS\system32\WerFault.exe -u -p 1232 -s 712C:\Windows\System32\WerFault.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
1232"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --disable-gpuC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
temp_executable.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
3765269347
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1692"C:\WINDOWS\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /reg:64C:\Windows\System32\reg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1876"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=6016,i,4441342359609144761,13996734253546870829,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=6256 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1956"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5956,i,4441342359609144761,13996734253546870829,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=5944 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1988"C:\WINDOWS\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\Users\admin\AppData\Local\Microsoft\OfficeBroker /d 0 /f /reg:64C:\Windows\System32\reg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
2016C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2348"C:\WINDOWS\system32\schtasks.exe" /create /tn RuntimeBrokerService /tr ""C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_gw1n1c2fhyeqy\AC\Temp\RuntimeBroker.exe" -Embedding" /sc onlogon /fC:\Windows\System32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2376"C:\WINDOWS\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_gw1n1c2fhyeqy /d 0 /f /reg:64C:\Windows\System32\reg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
Total events
48 122
Read events
48 102
Write events
12
Delete events
8

Modification events

(PID) Process:(2572) CFXBypass.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Value:
(PID) Process:(2572) CFXBypass.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Operation:writeName:Blob
Value:
0400000001000000100000001BFE69D191B71933A372A80FE155E5B51D0000000100000010000000885010358D29A38F059B028559C95F90620000000100000020000000E793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD2090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F000000010000003000000066B764A96581128168CF208E374DDA479D54E311F32457F4AEE0DBD2A6C8D171D531289E1CD22BFDBBD4CFD9796254830300000001000000140000002B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E190000000100000010000000EA6089055218053DD01E37E1D806EEDF53000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C01400000001000000140000005379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB0B00000001000000100000005300650063007400690067006F0000002000000001000000E2050000308205DE308203C6A003020102021001FD6D30FCA3CA51A81BBC640E35032D300D06092A864886F70D01010C0500308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010080126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1DCF1D3B1D67B3728112B47DA39C6BC3A19B45FA6BD7D9DA36342B676F2A93B2B91F8E26FD0EC162090093EE2E874C918B491D46264DB7FA306F188186A90223CBCFE13F087147BF6E41F8ED4E451C61167460851CB8614543FBC33FE7E6C9CFF169D18BD518E35A6A766C87267DB2166B1D49B7803C0503AE8CCF0DCBC9E4CFEAF0596351F575AB7FFCEF93DB72CB6F654DDC8E7123A4DAE4C8AB75C9AB4B7203DCA7F2234AE7E3B68660144E7014E46539B3360F794BE5337907343F332C353EFDBAAFE744E69C76B8C6093DEC4C70CDFE132AECC933B517895678BEE3D56FE0CD0690F1B0FF325266B336DF76E47FA7343E57E0EA566B1297C3284635589C40DC19354301913ACD37D37A7EB5D3A6C355CDB41D712DAA9490BDFD8808A0993628EB566CF2588CD84B8B13FA4390FD9029EEB124C957CF36B05A95E1683CCB867E2E8139DCC5B82D34CB3ED5BFFDEE573AC233B2D00BF3555740949D849581A7F9236E651920EF3267D1C4D17BCC9EC4326D0BF415F40A94444F499E757879E501F5754A83EFD74632FB1506509E658422E431A4CB4F0254759FA041E93D426464A5081B2DEBE78B7FC6715E1C957841E0F63D6E962BAD65F552EEA5CC62808042539B80E2BA9F24C971C073F0D52F5EDEF2F820F0203010001A3423040301D0603551D0E041604145379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300D06092A864886F70D01010C050003820201005CD47C0DCFF7017D4199650C73C5529FCBF8CF99067F1BDA43159F9E0255579614F1523C27879428ED1F3A0137A276FC5350C0849BC66B4EBA8C214FA28E556291F36915D8BC88E3C4AA0BFDEFA8E94B552A06206D55782919EE5F305C4B241155FF249A6E5E2A2BEE0B4D9F7FF70138941495430709FB60A9EE1CAB128CA09A5EA7986A596D8B3F08FBC8D145AF18156490120F73282EC5E2244EFC58ECF0F445FE22B3EB2F8ED2D9456105C1976FA876728F8B8C36AFBF0D05CE718DE6A66F1F6CA67162C5D8D083720CF16711890C9C134C7234DFBCD571DFAA71DDE1B96C8C3C125D65DABD5712B6436BFFE5DE4D661151CF99AEEC17B6E871918CDE49FEDD3571A21527941CCF61E326BB6FA36725215DE6DD1D0B2E681B3B82AFEC836785D4985174B1B9998089FF7F78195C794A602E9240AE4C372A2CC9C762C80E5DF7365BCAE0252501B4DD1A079C77003FD0DCD5EC3DD4FABB3FCC85D66F7FA92DDFB902F7F5979AB535DAC367B0874AA9289E238EFF5C276BE1B04FF307EE002ED45987CB524195EAF447D7EE6441557C8D590295DD629DC2B9EE5A287484A59BB790C70C07DFF589367432D628C1B0B00BE09C4CC31CD6FCE369B54746812FA282ABD3634470C48DFF2D33BAAD8F7BB57088AE3E19CF4028D8FCC890BB5D9922F552E658C51F883143EE881DD7C68E3C436A1DA718DE7D3D16F162F9CA90A8FD
(PID) Process:(2572) CFXBypass.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Operation:writeName:Blob
Value:
5C0000000100000004000000001000000B00000001000000100000005300650063007400690067006F0000001400000001000000140000005379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB53000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000EA6089055218053DD01E37E1D806EEDF0300000001000000140000002B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E0F000000010000003000000066B764A96581128168CF208E374DDA479D54E311F32457F4AEE0DBD2A6C8D171D531289E1CD22BFDBBD4CFD979625483090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B06010505070308620000000100000020000000E793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD21D0000000100000010000000885010358D29A38F059B028559C95F900400000001000000100000001BFE69D191B71933A372A80FE155E5B52000000001000000E2050000308205DE308203C6A003020102021001FD6D30FCA3CA51A81BBC640E35032D300D06092A864886F70D01010C0500308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010080126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1DCF1D3B1D67B3728112B47DA39C6BC3A19B45FA6BD7D9DA36342B676F2A93B2B91F8E26FD0EC162090093EE2E874C918B491D46264DB7FA306F188186A90223CBCFE13F087147BF6E41F8ED4E451C61167460851CB8614543FBC33FE7E6C9CFF169D18BD518E35A6A766C87267DB2166B1D49B7803C0503AE8CCF0DCBC9E4CFEAF0596351F575AB7FFCEF93DB72CB6F654DDC8E7123A4DAE4C8AB75C9AB4B7203DCA7F2234AE7E3B68660144E7014E46539B3360F794BE5337907343F332C353EFDBAAFE744E69C76B8C6093DEC4C70CDFE132AECC933B517895678BEE3D56FE0CD0690F1B0FF325266B336DF76E47FA7343E57E0EA566B1297C3284635589C40DC19354301913ACD37D37A7EB5D3A6C355CDB41D712DAA9490BDFD8808A0993628EB566CF2588CD84B8B13FA4390FD9029EEB124C957CF36B05A95E1683CCB867E2E8139DCC5B82D34CB3ED5BFFDEE573AC233B2D00BF3555740949D849581A7F9236E651920EF3267D1C4D17BCC9EC4326D0BF415F40A94444F499E757879E501F5754A83EFD74632FB1506509E658422E431A4CB4F0254759FA041E93D426464A5081B2DEBE78B7FC6715E1C957841E0F63D6E962BAD65F552EEA5CC62808042539B80E2BA9F24C971C073F0D52F5EDEF2F820F0203010001A3423040301D0603551D0E041604145379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300D06092A864886F70D01010C050003820201005CD47C0DCFF7017D4199650C73C5529FCBF8CF99067F1BDA43159F9E0255579614F1523C27879428ED1F3A0137A276FC5350C0849BC66B4EBA8C214FA28E556291F36915D8BC88E3C4AA0BFDEFA8E94B552A06206D55782919EE5F305C4B241155FF249A6E5E2A2BEE0B4D9F7FF70138941495430709FB60A9EE1CAB128CA09A5EA7986A596D8B3F08FBC8D145AF18156490120F73282EC5E2244EFC58ECF0F445FE22B3EB2F8ED2D9456105C1976FA876728F8B8C36AFBF0D05CE718DE6A66F1F6CA67162C5D8D083720CF16711890C9C134C7234DFBCD571DFAA71DDE1B96C8C3C125D65DABD5712B6436BFFE5DE4D661151CF99AEEC17B6E871918CDE49FEDD3571A21527941CCF61E326BB6FA36725215DE6DD1D0B2E681B3B82AFEC836785D4985174B1B9998089FF7F78195C794A602E9240AE4C372A2CC9C762C80E5DF7365BCAE0252501B4DD1A079C77003FD0DCD5EC3DD4FABB3FCC85D66F7FA92DDFB902F7F5979AB535DAC367B0874AA9289E238EFF5C276BE1B04FF307EE002ED45987CB524195EAF447D7EE6441557C8D590295DD629DC2B9EE5A287484A59BB790C70C07DFF589367432D628C1B0B00BE09C4CC31CD6FCE369B54746812FA282ABD3634470C48DFF2D33BAAD8F7BB57088AE3E19CF4028D8FCC890BB5D9922F552E658C51F883143EE881DD7C68E3C436A1DA718DE7D3D16F162F9CA90A8FD
(PID) Process:(7508) WerFault.exeKey:\REGISTRY\A\{dcd9920c-4505-3cb8-1a9e-fc64873a2b33}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(7508) WerFault.exeKey:\REGISTRY\A\{dcd9920c-4505-3cb8-1a9e-fc64873a2b33}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(4876) WerFault.exeKey:\REGISTRY\A\{dcd9920c-4505-3cb8-1a9e-fc64873a2b33}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(4876) WerFault.exeKey:\REGISTRY\A\{dcd9920c-4505-3cb8-1a9e-fc64873a2b33}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(2376) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:writeName:C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_gw1n1c2fhyeqy
Value:
0
(PID) Process:(1988) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:writeName:C:\Users\admin\AppData\Local\Microsoft\OfficeBroker
Value:
0
(PID) Process:(7224) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:writeName:C:\Users\admin\AppData\Local\Microsoft\OfficeBroker
Value:
0
Executable files
9
Suspicious files
94
Text files
91
Unknown types
0

Dropped files

PID
Process
Filename
Type
9068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF1b39c9.TMP
MD5:
SHA256:
9068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
9068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF1b39d9.TMP
MD5:
SHA256:
9068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RF1b39d9.TMP
MD5:
SHA256:
9068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF1b39d9.TMP
MD5:
SHA256:
9068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
9068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
9068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
9068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF1b39e8.TMP
MD5:
SHA256:
9068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RF1b39e8.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
78
TCP/UDP connections
66
DNS requests
48
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2600
chrome.exe
GET
302
140.82.121.3:443
https://github.com/crandd1/FiveM-Spoofer/raw/refs/heads/main/CFXBypass.exe
US
unknown
2600
chrome.exe
POST
200
74.125.133.84:443
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
US
text
17 b
whitelisted
2600
chrome.exe
POST
200
142.251.141.99:443
https://update.googleapis.com/service/update2/json?cup2key=14:_NyqzlV-XX6ahh5jNAG7P8sRXBf0hHcYjbF0fhK8w_Y&cup2hreq=5f41900a9c9088f05f10974e843f666b1fc914266499fa59ed5c6a0613b0a8b2
US
text
289 b
whitelisted
2600
chrome.exe
GET
200
142.251.141.131:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=133
US
compressed
79.0 Kb
whitelisted
2600
chrome.exe
GET
200
142.251.140.170:443
https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
US
binary
41 b
whitelisted
2600
chrome.exe
GET
200
185.199.109.133:443
https://raw.githubusercontent.com/crandd1/FiveM-Spoofer/refs/heads/main/CFXBypass.exe
US
executable
128 Kb
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
4280
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
4336
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
4336
svchost.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
4336
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2620
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2600
chrome.exe
142.251.208.14:80
clients2.google.com
GOOGLE
US
whitelisted
2600
chrome.exe
142.251.140.170:443
safebrowsingohttpgateway.googleapis.com
GOOGLE
US
whitelisted
2600
chrome.exe
142.251.141.131:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
2600
chrome.exe
140.82.121.3:443
github.com
GITHUB
US
whitelisted
2600
chrome.exe
74.125.133.84:443
accounts.google.com
GOOGLE
US
whitelisted
2600
chrome.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.251.141.78
whitelisted
clients2.google.com
  • 142.251.208.14
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.251.140.170
  • 172.217.20.138
  • 142.250.185.106
  • 142.251.141.138
  • 142.250.185.74
  • 216.58.206.74
  • 142.250.185.170
  • 172.217.18.10
  • 216.58.206.42
  • 142.250.201.74
  • 142.250.185.138
  • 142.251.141.106
  • 142.250.184.234
  • 142.251.141.74
  • 142.250.185.202
  • 216.58.212.138
whitelisted
github.com
  • 140.82.121.3
whitelisted
clientservices.googleapis.com
  • 142.251.141.131
whitelisted
accounts.google.com
  • 74.125.133.84
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.108.133
whitelisted
update.googleapis.com
  • 142.251.141.99
whitelisted
sb-ssl.google.com
  • 142.251.141.78
whitelisted

Threats

PID
Process
Class
Message
2600
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2600
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Potentially Bad Traffic
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET HUNTING EXE Downloaded from Github
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
6924
temp_executable.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
6924
temp_executable.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
6924
temp_executable.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
6924
temp_executable.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/crandd1/FiveM-Spoofer/raw/refs/heads/main/CFXBypass.exe