| File name: | FiveM.exe |
| Full analysis: | https://app.any.run/tasks/ddd05358-83c9-4676-bd7e-aad1621ebcd0 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | July 25, 2025, 01:07:53 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 7 sections |
| MD5: | FC8A8FFAC2B41442D04E534F58AD39DF |
| SHA1: | 355770ACF4FEDCFA009B2F3A986B9FF189B517D2 |
| SHA256: | 672EE97A665325BC227FCC7958002876BB6FFD967B7820193ECA6D5800FB27F4 |
| SSDEEP: | 98304:D+152z1PBaMJBFQf68VXK8A8te5BBf2shx99fBk25dETb9z2MYgzXeN4jqxa8NNg:zwe4Oa |
MALICIOUS
Opens an HTTP connection (SCRIPT)
- wscript.exe (PID: 432)
Sends HTTP request (SCRIPT)
- wscript.exe (PID: 432)
Creates internet connection object (SCRIPT)
- wscript.exe (PID: 480)
SUSPICIOUS
Executable content was dropped or overwritten
- FiveM.exe (PID: 4724)
- FiveM.exe (PID: 4168)
Starts itself from another location
- FiveM.exe (PID: 4724)
- FiveM.exe (PID: 4168)
Write to the desktop.ini file (may be used to cloak folders)
- FiveM.exe (PID: 4168)
Reads security settings of Internet Explorer
- FiveM.exe (PID: 4168)
- GameBar.exe (PID: 5236)
Creates a software uninstall entry
- FiveM.exe (PID: 4168)
Process drops legitimate windows executable
- FiveM.exe (PID: 4168)
There is functionality for taking screenshot (YARA)
- FiveM.exe (PID: 4168)
- FiveM_DumpServer (PID: 2312)
The process drops C-runtime libraries
- FiveM.exe (PID: 4168)
The process creates files with name similar to system file names
- FiveM.exe (PID: 4168)
Starts application with an unusual extension
- FiveM.exe (PID: 4168)
Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)
- wscript.exe (PID: 4836)
- wscript.exe (PID: 480)
INFO
Reads the computer name
- FiveM.exe (PID: 4724)
- FiveM.exe (PID: 4168)
- GameBar.exe (PID: 5236)
- FiveM_DumpServer (PID: 2312)
Creates files or folders in the user directory
- FiveM.exe (PID: 4724)
- FiveM.exe (PID: 4168)
- FiveM_DumpServer (PID: 2312)
The sample compiled with english language support
- FiveM.exe (PID: 4724)
- FiveM.exe (PID: 4168)
Checks supported languages
- FiveM.exe (PID: 4724)
- FiveM.exe (PID: 4168)
- GameBar.exe (PID: 5236)
- FiveM_DumpServer (PID: 2312)
Manual execution by a user
- wscript.exe (PID: 4196)
- wscript.exe (PID: 5960)
- wscript.exe (PID: 5300)
- wscript.exe (PID: 3980)
- wscript.exe (PID: 3872)
- wscript.exe (PID: 2148)
- wscript.exe (PID: 3048)
- wscript.exe (PID: 480)
- wscript.exe (PID: 4836)
- wscript.exe (PID: 432)
JScript runtime error (SCRIPT)
- wscript.exe (PID: 5300)
- wscript.exe (PID: 3980)
Checks proxy server information
- slui.exe (PID: 2732)
Reads the software policy settings
- slui.exe (PID: 2732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:07:17 08:24:07+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.36 |
| CodeSize: | 3403264 |
| InitializedDataSize: | 1927168 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x28da20 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.0.0.16538 |
| ProductVersionNumber: | 2.0.0.16538 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Cfx.re |
| FileDescription: | FiveM |
| InternalName: | FiveM |
| FileVersion: | 2.0.0.16538 |
| LegalCopyright: | (C) 2015-2022 Cfx.re |
| OriginalFileName: | CitizenMP.exe |
| ProductName: | FiveM |
| ProductVersion: | 2.0.0.16538 |
Total processes
154
Monitored processes
17
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 432 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\main.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 480 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\src_cfx_apps_mpMenu_parts_LegalAccepter_PDFRenderer_tsx.chunk.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 1040 | "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer | C:\Windows\System32\GameBarPresenceWriter.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Gamebar Presence Writer Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1660 | "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer | C:\Windows\System32\GameBarPresenceWriter.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Gamebar Presence Writer Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2148 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\src_cfx_common_services_servers_source_WorkerSource_worker_ts.chunk.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 2312 | "C:\Users\admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_DumpServer" -dumpserver:2124 -parentpid:4168 | C:\Users\admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_DumpServer | FiveM.exe | ||||||||||||
User: admin Company: Cfx.re Integrity Level: MEDIUM Description: FiveM Version: 2.0.0.16538 Modules
| |||||||||||||||
| 2732 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3048 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\color-scheme.min.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 3872 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\src_cfx_apps_mpMenu_parts_ThemeManager_BackdropBlur_worker_ts.chunk.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 3980 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\jquery.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
Total events
33 466
Read events
33 345
Write events
117
Delete events
4
Modification events
| (PID) Process: | (4724) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\CitizenFX\FiveM |
| Operation: | write | Name: | Last Run Location |
Value: C:\Users\admin\Desktop\ | |||
| (PID) Process: | (4168) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\CitizenFX\FiveM |
| Operation: | write | Name: | Last Run Location |
Value: C:\Users\admin\AppData\Local\FiveM\FiveM.app\ | |||
| (PID) Process: | (4168) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | DisplayName |
Value: FiveM | |||
| (PID) Process: | (4168) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Users\admin\AppData\Local\FiveM\FiveM.exe,0 | |||
| (PID) Process: | (4168) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | HelpLink |
Value: https://cfx.re/ | |||
| (PID) Process: | (4168) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | InstallLocation |
Value: C:\Users\admin\AppData\Local\FiveM | |||
| (PID) Process: | (4168) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | Publisher |
Value: Cfx.re | |||
| (PID) Process: | (4168) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | UninstallString |
Value: "C:\Users\admin\AppData\Local\FiveM\FiveM.exe" -uninstall app | |||
| (PID) Process: | (4168) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | URLInfoAbout |
Value: https://cfx.re/ | |||
| (PID) Process: | (4168) FiveM.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitizenFX_FiveM |
| Operation: | write | Name: | NoModify |
Value: 1 | |||
Executable files
418
Suspicious files
117
Text files
224
Unknown types
56
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4724 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.exe | executable | |
MD5:FC8A8FFAC2B41442D04E534F58AD39DF | SHA256:672EE97A665325BC227FCC7958002876BB6FFD967B7820193ECA6D5800FB27F4 | |||
| 4168 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM - Cfx.re Development Kit (FxDK).lnk | lnk | |
MD5:6C668C42F02083EF9E17B90BD8216FE5 | SHA256:B51CF9A78F39E754F796883126085EBF21C17A377C25DE31E8A47F8E0FF1892F | |||
| 4168 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_1_aslr.bin.tmp | executable | |
MD5:98EF5E2190853602E9D2E33F4AD5F83E | SHA256:0054B35B9DAA280CCD0ABF32E66C0562D9633690B99D1DE12E2232B38B53567D | |||
| 4168 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_2189_aslr.bin.tmp | executable | |
MD5:759F5AD36E5327BAF80E83286666466E | SHA256:F2F11B5B506CE6A848AA472F8B1905CD81E0840AE2A786A092588E76760F4D3F | |||
| 4168 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitiLaunch_TLSDummy.dll.tmp | executable | |
MD5:7892DF9CF0675D24AEF591E09F6E9040 | SHA256:CA15E331CF6A9BD97CEBF4790DBE96E617409BBC375DD4032B82DE495301B8D4 | |||
| 4168 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitiLaunch_TLSDummy.dll | executable | |
MD5:7892DF9CF0675D24AEF591E09F6E9040 | SHA256:CA15E331CF6A9BD97CEBF4790DBE96E617409BBC375DD4032B82DE495301B8D4 | |||
| 4168 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_1604_aslr.bin | executable | |
MD5:BDA6965ECACE39125C1D1D0AB6972286 | SHA256:398EB804BAC414A01B41EDBEF547F81CB7ADB58572BBBEE3030DB8B65461F268 | |||
| 4168 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_1_aslr.bin | executable | |
MD5:98EF5E2190853602E9D2E33F4AD5F83E | SHA256:0054B35B9DAA280CCD0ABF32E66C0562D9633690B99D1DE12E2232B38B53567D | |||
| 4168 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_2060_aslr.bin.tmp | executable | |
MD5:374914BBAFC751AE9CB8D8109C4F65C7 | SHA256:CE59043E1B5F4C8194F16F0AC628AEA28249F5E4CEBC10D14AC89DAD680CD3B5 | |||
| 4168 | FiveM.exe | C:\Users\admin\AppData\Local\FiveM\FiveM.app\CitizenFX_SubProcess_game_1604_aslr.bin.tmp | executable | |
MD5:BDA6965ECACE39125C1D1D0AB6972286 | SHA256:398EB804BAC414A01B41EDBEF547F81CB7ADB58572BBBEE3030DB8B65461F268 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
429
TCP/UDP connections
31
DNS requests
10
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 104.18.9.193:443 | https://content.cfx.re/updates/heads/fivereborn/production?time=1753405685 | unknown | text | 7 b | unknown |
— | — | GET | 200 | 104.18.8.193:443 | https://content.cfx.re/updates/heads/fivereborn/production?time=1753405686 | unknown | text | 7 b | unknown |
— | — | GET | 200 | 104.18.9.193:443 | https://content.cfx.re/updates/7a/b0/7ab0536e624cf62f0fcdb76d7461fdc8754ab43ee907c75fab8807940912b288 | unknown | text | 96.2 Kb | unknown |
— | — | GET | 200 | 104.18.8.193:443 | https://content.cfx.re/updates/ca/15/ca15e331cf6a9bd97cebf4790dbe96e617409bbc375dd4032b82de495301b8d4.xz | unknown | binary | 52.9 Kb | unknown |
— | — | GET | 200 | 104.18.8.193:443 | https://content.cfx.re/updates/heads/fivereborn/production?time=1753405684 | unknown | text | 7 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
content.cfx.re |
| unknown |
self.events.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
sentry.fivem.net |
| whitelisted |
Threats
Process | Message |
|---|---|
FiveM_DumpServer | DumpServer is active and waiting.
|