| File name: | FiveM.exe |
| Full analysis: | https://app.any.run/tasks/e1aaeee3-e797-4ee7-99cb-a8998bd60f7d |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | January 13, 2025, 23:55:34 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 7 sections |
| MD5: | 357B5269F142658D15F2EE3F0FF949F4 |
| SHA1: | CFD0B2E11701095ED8E38C54C9A275125F989E9C |
| SHA256: | 2ED4CFB162F0E3294823B18E6198465181C56E2D362B37F439C35F57FB92617A |
| SSDEEP: | 98304:JB17cr1x8X1SufHQfXAO+DMy5q81UzMUqoIGLB8niFDLPoEOMERdHdvJNPiNNEIR:2Grvy |
MALICIOUS
No malicious indicators.SUSPICIOUS
Starts itself from another location
- FiveM.exe (PID: 6220)
- FiveM.exe (PID: 6264)
Creates a software uninstall entry
- FiveM.exe (PID: 6264)
Reads security settings of Internet Explorer
- FiveM.exe (PID: 6264)
- GameBar.exe (PID: 6744)
Executable content was dropped or overwritten
- FiveM.exe (PID: 6220)
- FiveM.exe (PID: 6264)
Process drops legitimate windows executable
- FiveM.exe (PID: 6264)
The process drops C-runtime libraries
- FiveM.exe (PID: 6264)
The process creates files with name similar to system file names
- FiveM.exe (PID: 6264)
Starts application with an unusual extension
- FiveM.exe (PID: 6264)
INFO
Creates files or folders in the user directory
- FiveM.exe (PID: 6220)
- FiveM.exe (PID: 6264)
- FiveM_DumpServer (PID: 5076)
The sample compiled with english language support
- FiveM.exe (PID: 6220)
- FiveM.exe (PID: 6264)
Checks supported languages
- FiveM.exe (PID: 6264)
- FiveM.exe (PID: 6220)
- GameBar.exe (PID: 6744)
- FiveM_DumpServer (PID: 5076)
Reads the computer name
- FiveM.exe (PID: 6264)
- GameBar.exe (PID: 6744)
- FiveM_DumpServer (PID: 5076)
Sends debugging messages
- FiveM_DumpServer (PID: 5076)
Manual execution by a user
- wscript.exe (PID: 1596)
- wscript.exe (PID: 6324)
- wscript.exe (PID: 4684)
- wscript.exe (PID: 7152)
- wscript.exe (PID: 4804)
- wscript.exe (PID: 6348)
- wscript.exe (PID: 5316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:01:06 10:37:20+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.36 |
| CodeSize: | 3409920 |
| InitializedDataSize: | 1926144 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x28f310 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.0.0.12193 |
| ProductVersionNumber: | 2.0.0.12193 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Cfx.re |
| FileDescription: | FiveM |
| InternalName: | FiveM |
| FileVersion: | 2.0.0.12193 |
| LegalCopyright: | (C) 2015-2022 Cfx.re |
| OriginalFileName: | CitizenMP.exe |
| ProductName: | FiveM |
| ProductVersion: | 2.0.0.12193 |
Total processes
137
Monitored processes
13
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1596 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\src_cfx_common_services_servers_source_WorkerSource_worker_ts.chunk.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 4076 | "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer | C:\Windows\System32\GameBarPresenceWriter.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Gamebar Presence Writer Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4684 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\jquery.mustache.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 4804 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\src_cfx_apps_mpMenu_parts_ThemeManager_BackdropBlur_worker_ts.chunk.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 5076 | "C:\Users\admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_DumpServer" -dumpserver:2800 -parentpid:6264 | C:\Users\admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_DumpServer | FiveM.exe | ||||||||||||
User: admin Company: Cfx.re Integrity Level: MEDIUM Description: FiveM Version: 2.0.0.12193 Modules
| |||||||||||||||
| 5316 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\mustache.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 6220 | "C:\Users\admin\Desktop\FiveM.exe" | C:\Users\admin\Desktop\FiveM.exe | explorer.exe | ||||||||||||
User: admin Company: Cfx.re Integrity Level: MEDIUM Description: FiveM Exit code: 0 Version: 2.0.0.12193 Modules
| |||||||||||||||
| 6264 | "C:\Users\admin\AppData\Local\FiveM\FiveM.exe" | C:\Users\admin\AppData\Local\FiveM\FiveM.exe | FiveM.exe | ||||||||||||
User: admin Company: Cfx.re Integrity Level: MEDIUM Description: FiveM Version: 2.0.0.12193 Modules
| |||||||||||||||
| 6324 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\4882a7e0ebef18227792.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 6348 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\code.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.812.10240.16384 Modules
| |||||||||||||||
Total events
29 557
Read events
29 365
Write events
184
Delete events
8
Modification events
| (PID) Process: | (6220) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\CitizenFX\FiveM |
| Operation: | write | Name: | Last Run Location |
Value: C:\Users\admin\Desktop\ | |||
| (PID) Process: | (6264) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\CitizenFX\FiveM |
| Operation: | write | Name: | Last Run Location |
Value: C:\Users\admin\AppData\Local\FiveM\FiveM.app\ | |||
| (PID) Process: | (6264) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | DisplayName |
Value: FiveM | |||
| (PID) Process: | (6264) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Users\admin\AppData\Local\FiveM\FiveM.exe,0 | |||
| (PID) Process: | (6264) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | HelpLink |
Value: https://cfx.re/ | |||
| (PID) Process: | (6264) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | InstallLocation |
Value: C:\Users\admin\AppData\Local\FiveM | |||
| (PID) Process: | (6264) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | Publisher |
Value: Cfx.re | |||
| (PID) Process: | (6264) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | UninstallString |
Value: "C:\Users\admin\AppData\Local\FiveM\FiveM.exe" -uninstall app | |||
| (PID) Process: | (6264) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | URLInfoAbout |
Value: https://cfx.re/ | |||
| (PID) Process: | (6264) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | NoModify |
Value: 1 | |||
Executable files
423
Suspicious files
173
Text files
217
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6220 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.exe | executable | |
MD5:357B5269F142658D15F2EE3F0FF949F4 | SHA256:2ED4CFB162F0E3294823B18E6198465181C56E2D362B37F439C35F57FB92617A | |||
| 6264 | FiveM.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FiveM - Cfx.re Development Kit (FxDK).lnk | binary | |
MD5:E37C21568CDC35CE3636F04CB73B3B3B | SHA256:90940A8300300083070BF61F3F594076C39884497A1322AAD892422E5EEF736F | |||
| 6220 | FiveM.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FiveM.lnk | binary | |
MD5:4E7212D59B9DC05164A83049AC5282EA | SHA256:6FA9A6765EF773515EEEC79646F9290B6636A89AA58746695044EE9F305137B7 | |||
| 6264 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_2060_aslr.bin.tmp | executable | |
MD5:BE8606BBC461AB6D0C6110073A58A684 | SHA256:E019CCEF41980952EFC0C2B780950BA4C4DC903FD87713A3536650825CBF133B | |||
| 6264 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_1_aslr.bin | executable | |
MD5:E86B51ADEA4D3772F3F7BD491D78A1E4 | SHA256:B9DF7B9307E239556EDBD39341729DD3261F21C30BCA30CDEE61AF1F50E026A5 | |||
| 6264 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_chrome.bin | executable | |
MD5:F4531FD8AA38C5B2C83057698009AA5F | SHA256:6592072D3800CD988144A58E387163AB7C97DC8BEFE010395414BA1425DD0596 | |||
| 6264 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_1604_aslr.bin.tmp | executable | |
MD5:79D058A46C3FFA843AA8FF07B88003AC | SHA256:1F2286E6BCD9239798421E81DEA8332506B95EF18AA9F99B7E0B80C15CFE1DBB | |||
| 6264 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_2189_aslr.bin.tmp | executable | |
MD5:A211E9C1766FBBA575A701370126C41C | SHA256:E8C04FEA60BAE7C40208A35A30385EA48DABD5CC6160560419383C15AE7A5E70 | |||
| 6264 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_2189_aslr.bin | executable | |
MD5:A211E9C1766FBBA575A701370126C41C | SHA256:E8C04FEA60BAE7C40208A35A30385EA48DABD5CC6160560419383C15AE7A5E70 | |||
| 6264 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM - Cfx.re Development Kit (FxDK).lnk | binary | |
MD5:E7F817FFD580687DB9E66C91F3AE0AF3 | SHA256:A77422D2A2827B6BAAC0B8B0950EBAFF2DB4B5AFC2B1EFC224EA5403FD9CD7C0 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
424
TCP/UDP connections
30
DNS requests
10
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.19.11.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5564 | svchost.exe | GET | 200 | 2.19.11.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.209.214.100:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5564 | svchost.exe | GET | 200 | 23.209.214.100:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 104.18.34.171:443 | https://content.cfx.re/updates/heads/fivereborn/production?time=1736812546 | unknown | text | 7 b | — |
— | — | GET | 200 | 172.64.153.85:443 | https://content.cfx.re/updates/heads/fivereborn/production?time=1736812547 | unknown | text | 7 b | — |
— | — | GET | 200 | 172.64.153.85:443 | https://content.cfx.re/updates/1f/22/1f2286e6bcd9239798421e81dea8332506b95ef18aa9f99b7e0b80c15cfe1dbb.xz | unknown | binary | 745 Kb | — |
— | — | GET | 200 | 104.18.34.171:443 | https://content.cfx.re/updates/e8/c0/e8c04fea60bae7c40208a35a30385ea48dabd5cc6160560419383c15ae7a5e70.xz | unknown | binary | 752 Kb | — |
— | — | GET | 200 | 104.18.34.171:443 | https://content.cfx.re/updates/b0/af/b0af3dd5fe3c87cea421427fa06522c1ef2ecfcaabffac315596d1194b4fa22e | unknown | text | 95.7 Kb | — |
— | — | GET | 200 | 172.64.153.85:443 | https://content.cfx.re/updates/c1/e3/c1e3fa3ef746937d06c25cb989826621dce8dd14ea4e695697fbd9c541857130.xz | unknown | binary | 52.8 Kb | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5564 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6220 | FiveM.exe | 104.18.34.171:443 | content.cfx.re | CLOUDFLARENET | — | unknown |
6264 | FiveM.exe | 104.18.34.171:443 | content.cfx.re | CLOUDFLARENET | — | unknown |
4712 | MoUsoCoreWorker.exe | 2.19.11.120:80 | crl.microsoft.com | Elisa Oyj | NL | whitelisted |
5564 | svchost.exe | 2.19.11.120:80 | crl.microsoft.com | Elisa Oyj | NL | whitelisted |
5564 | svchost.exe | 23.209.214.100:80 | www.microsoft.com | PT. Telekomunikasi Selular | ID | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
content.cfx.re |
| unknown |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
sentry.fivem.net |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
FiveM_DumpServer | DumpServer is active and waiting.
|