061c630a9036efc0e9c77b447346c8d626f7cc48b79919e1f9ae1ef66a38a89d

Analysis

max time kernel
227s
max time network
206s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01/06/2024, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pooke/Pooke/Cookin The OOPS.exe
Size

349KB
MD5

fb8bb2f17c0146f470b2709efafbefa0
SHA1

25d242382f10216de7eca27d85fc19d5958bafc8
SHA256

d1465690b1f7c20fae2fa7fa61a7183f12a6dbc22c04a4df20eecc0375f04acf
SHA512

7257f7a559caec91d35b0cc67ff31cedbdb0ae507ef8ac651d15036310101eb445587933e4db637242fbaaaceefc6fabbf288df0a58c84ea5d1ea5379cce6bd6
SSDEEP

6144:ChekwSk8q2+TK5UCTKDI13ZyUk790RQesFJu+KAbO6ADUjG:5v9TK5UCWDQ5k790NsFpFAAa

Score

8^/10

discovery evasion

Malware Config

Signatures

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 44 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3116	netsh.exe
1940	netsh.exe
2632	netsh.exe
4316	netsh.exe
3040	netsh.exe
3496	netsh.exe
3292	netsh.exe
1400	netsh.exe
3016	netsh.exe
1324	netsh.exe
2180	netsh.exe
2276	netsh.exe
4752	netsh.exe
2604	netsh.exe
2752	netsh.exe
2512	netsh.exe
3948	netsh.exe
3472	netsh.exe
2568	netsh.exe
2488	netsh.exe
4584	netsh.exe
5044	netsh.exe
3680	netsh.exe
1436	netsh.exe
4164	netsh.exe
5072	netsh.exe
2052	netsh.exe
428	netsh.exe
2672	netsh.exe
3260	netsh.exe
5116	netsh.exe
2180	netsh.exe
1524	netsh.exe
4728	netsh.exe
5116	netsh.exe
3408	netsh.exe
1012	netsh.exe
1216	netsh.exe
3040	netsh.exe
3548	netsh.exe
2916	netsh.exe
3736	netsh.exe
3588	netsh.exe
3480	netsh.exe

Executes dropped EXE 5 IoCs

pid	Process
4552	FiveM.exe
1684	CitizenFX.exe.new
3372	FiveM.exe
4664	FiveM.exe
892	FiveM_b2699_DumpServer

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\FiveM\FiveM.app\desktop.ini	FiveM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Control Panel\Colors	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Control Panel\Colors	FiveM.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617094485679890"	chrome.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	FiveM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	FiveM.exe
Key created	\Registry\User\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\NotificationData	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	FiveM.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3107365284-1576850094-161165143-1000\{BECD772F-507B-4660-890C-4565D71AA36B}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	FiveM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Cookin The OOPS.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Cookin The OOPS.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	FiveM.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3107365284-1576850094-161165143-1000\{C6B428E5-6747-4A1E-81CF-49F461538B11}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	FiveM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	FiveM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	FiveM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	FiveM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	FiveM.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3107365284-1576850094-161165143-1000\{41CF71E3-B4D7-44E8-A051-80D67D3FAECD}	svchost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\FiveM.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4616	Cookin The OOPS.exe
1524	OpenWith.exe
632	OpenWith.exe
4664	FiveM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4552	FiveM.exe
4664	FiveM.exe
4756	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4552	FiveM.exe
5056	OpenWith.exe
4664	FiveM.exe
1524	OpenWith.exe
4664	FiveM.exe
4664	FiveM.exe
632	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 3032	4616	Cookin The OOPS.exe	81
PID 4616 wrote to memory of 3032	4616	Cookin The OOPS.exe	81
PID 4616 wrote to memory of 1364	4616	Cookin The OOPS.exe	84
PID 4616 wrote to memory of 1364	4616	Cookin The OOPS.exe	84
PID 4616 wrote to memory of 760	4616	Cookin The OOPS.exe	85
PID 4616 wrote to memory of 760	4616	Cookin The OOPS.exe	85
PID 4616 wrote to memory of 3332	4616	Cookin The OOPS.exe	86
PID 4616 wrote to memory of 3332	4616	Cookin The OOPS.exe	86
PID 4616 wrote to memory of 2900	4616	Cookin The OOPS.exe	87
PID 4616 wrote to memory of 2900	4616	Cookin The OOPS.exe	87
PID 4616 wrote to memory of 3416	4616	Cookin The OOPS.exe	88
PID 4616 wrote to memory of 3416	4616	Cookin The OOPS.exe	88
PID 4616 wrote to memory of 4320	4616	Cookin The OOPS.exe	89
PID 4616 wrote to memory of 4320	4616	Cookin The OOPS.exe	89
PID 4616 wrote to memory of 4180	4616	Cookin The OOPS.exe	90
PID 4616 wrote to memory of 4180	4616	Cookin The OOPS.exe	90
PID 4756 wrote to memory of 3244	4756	chrome.exe	94
PID 4756 wrote to memory of 3244	4756	chrome.exe	94
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4520	4756	chrome.exe	95
PID 4756 wrote to memory of 4016	4756	chrome.exe	96
PID 4756 wrote to memory of 4016	4756	chrome.exe	96
PID 4756 wrote to memory of 1256	4756	chrome.exe	97
PID 4756 wrote to memory of 1256	4756	chrome.exe	97
PID 4756 wrote to memory of 1256	4756	chrome.exe	97
PID 4756 wrote to memory of 1256	4756	chrome.exe	97
PID 4756 wrote to memory of 1256	4756	chrome.exe	97
PID 4756 wrote to memory of 1256	4756	chrome.exe	97
PID 4756 wrote to memory of 1256	4756	chrome.exe	97
PID 4756 wrote to memory of 1256	4756	chrome.exe	97
PID 4756 wrote to memory of 1256	4756	chrome.exe	97
PID 4756 wrote to memory of 1256	4756	chrome.exe	97
PID 4756 wrote to memory of 1256	4756	chrome.exe	97
PID 4756 wrote to memory of 1256	4756	chrome.exe	97
PID 4756 wrote to memory of 1256	4756	chrome.exe	97

C:\Users\Admin\AppData\Local\Temp\Pooke\Pooke\Cookin The OOPS.exe
"C:\Users\Admin\AppData\Local\Temp\Pooke\Pooke\Cookin The OOPS.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Pause
  2⤵
  PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Pause
  2⤵
  PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Pause
  2⤵
  PID:4180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:3144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 9
  2⤵
  PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Pause
  2⤵
  PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 9
  2⤵
  PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe action = block
  2⤵
  PID:2404
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe action = block
  2⤵
  PID:4424
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:2276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe action = block
  2⤵
  PID:3976
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe action = block
  2⤵
  PID:4012
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe action = block
  2⤵
  PID:1684
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe action = block
  2⤵
  PID:1836
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:3408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe action = block
  2⤵
  PID:2360
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe action = block
  2⤵
  PID:8
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe action = block
  2⤵
  PID:2032
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:3116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe action = block
  2⤵
  PID:3860
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:3948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe action = block
  2⤵
  PID:2488
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:3260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe action = block
  2⤵
  PID:1412
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe action = block
  2⤵
  PID:4952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe action = block
  2⤵
  PID:3760
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe action = block
  2⤵
  PID:3756
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe action = block
  2⤵
  PID:4520
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:3472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe action = block
  2⤵
  PID:3420
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe action = block
  2⤵
  PID:2768
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe action = block
  2⤵
  PID:5100
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe action = block
  2⤵
  PID:5024
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe action = block
  2⤵
  PID:1460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:1400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe action = block
  2⤵
  PID:5060
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe action = block
    3⤵
    - Modifies Windows Firewall
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Pause
  2⤵
  PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 9
  2⤵
  PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe
  2⤵
  PID:2648
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe
    3⤵
    - Modifies Windows Firewall
    PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe
  2⤵
  PID:3320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.exe
    3⤵
    - Modifies Windows Firewall
    PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe
  2⤵
  PID:4596
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe
    3⤵
    - Modifies Windows Firewall
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe
  2⤵
  PID:3336
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_GTAProcess.exe
    3⤵
    - Modifies Windows Firewall
    PID:4316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe
  2⤵
  PID:4424
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe
    3⤵
    - Modifies Windows Firewall
    PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe
  2⤵
  PID:2188
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2545_SteamChild.exe
    3⤵
    - Modifies Windows Firewall
    PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe
  2⤵
  PID:1036
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe
    3⤵
    - Modifies Windows Firewall
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe
  2⤵
  PID:3572
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_GTAProcess.exe
    3⤵
    - Modifies Windows Firewall
    PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe
  2⤵
  PID:4644
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe
    3⤵
    - Modifies Windows Firewall
    PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe
  2⤵
  PID:3364
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2372_SteamChild.exe
    3⤵
    - Modifies Windows Firewall
    PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe
  2⤵
  PID:2424
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe
    3⤵
    - Modifies Windows Firewall
    PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe
  2⤵
  PID:876
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_GTAProcess.exe
    3⤵
    - Modifies Windows Firewall
    PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe
  2⤵
  PID:3260
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe
    3⤵
    - Modifies Windows Firewall
    PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe
  2⤵
  PID:408
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2189_SteamChild.exe
    3⤵
    - Modifies Windows Firewall
    PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe
  2⤵
  PID:2608
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe
    3⤵
    - Modifies Windows Firewall
    PID:3736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe
  2⤵
  PID:2064
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_GTAProcess.exe
    3⤵
    - Modifies Windows Firewall
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe
  2⤵
  PID:3308
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe
    3⤵
    - Modifies Windows Firewall
    PID:5044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe
  2⤵
  PID:4736
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2060_SteamChild.exe
    3⤵
    - Modifies Windows Firewall
    PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe
  2⤵
  PID:1000
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe
    3⤵
    - Modifies Windows Firewall
    PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe
  2⤵
  PID:4212
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_GTAProcess.exe
    3⤵
    - Modifies Windows Firewall
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe
  2⤵
  PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe dir = out program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe
    3⤵
    - Modifies Windows Firewall
    PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe
  2⤵
  PID:3092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe dir = in program = C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_SteamChild.exe
    3⤵
    - Modifies Windows Firewall
    PID:3588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Pause
  2⤵
  PID:728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 9
  2⤵
  PID:276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Pause
  2⤵
  PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 9
  2⤵
  PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Pause
  2⤵
  PID:4240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 9
  2⤵
  PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Pause
  2⤵
  PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 9
  2⤵
  PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Pause
  2⤵
  PID:1188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:3324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 9
  2⤵
  PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Pause
  2⤵
  PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 9
  2⤵
  PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Pause
  2⤵
  PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 9
  2⤵
  PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 4
  2⤵
  PID:8

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe0b65ab58,0x7ffe0b65ab68,0x7ffe0b65ab78
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:2
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4160 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3284 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5048 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4840 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5356 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3252 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4476 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4464 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5708 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5700 --field-trial-handle=1876,i,1786121838813567040,412558042955624844,131072 /prefetch:8
  2⤵
  PID:752
- C:\Users\Admin\Downloads\FiveM.exe
  "C:\Users\Admin\Downloads\FiveM.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Control Panel
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4552
- - C:\Users\Admin\Downloads\CitizenFX.exe.new
    CitizenFX.exe.new -bootstrap "C:\Users\Admin\Downloads\FiveM.exe"
    3⤵
    - Executes dropped EXE
    PID:1684
  - - C:\Users\Admin\Downloads\FiveM.exe
      "C:\Users\Admin\Downloads\FiveM.exe"
      4⤵
      Executes dropped EXE
      PID:3372
    - - C:\Users\Admin\AppData\Local\FiveM\FiveM.exe
        
        "C:\Users\Admin\AppData\Local\FiveM\FiveM.exe"
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Modifies Control Panel
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4664
      - C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer
        
        "C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer" -dumpserver:2376 -parentpid:4664
        6⤵
        Executes dropped EXE
        
        PID:892

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4676

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:4204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:2984

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:3948

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\platform-2372\data\control\settings.meta.tmp

Filesize
37KB

MD5
3656c6636cd9dbceaf83230c3c9a2be9

SHA1
989f27c6736a943fd4690091fed26f7c17e3c17f

SHA256
f9ae094812ce9fbd56b58dab7739451792aba8f56c5f21eee15ef96682b413a6

SHA512
52bbb8f2b2d6183f30b908d9171a2ec8c2128bbce145b7af0095d4c199b1ec431d650ec4ed0b1b6cbc7bcc8d29da3285cdcc61368faa8c4e57b45315ced4e4ad

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\platform-3095\data\control\settings.meta.tmp

Filesize
39KB

MD5
619814b8b98007c1698576b7e4efb3ec

SHA1
e60f3ceaf5ca78f74e6867f0b042951bffb91786

SHA256
71ad5591441d62d02d2b62155abcf2cab587af49b86e2db5be6729a5b39df5d1

SHA512
55ab0bd3c1750d63ad3304e63b7c26251f01c8994f385e5643e2bbd37fc6595fd0e9f5fc0d76aa655fe8ad3bc6fdee33248d9f4a76cce11a25d84c3f5de16236

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\release.txt

Filesize
6B

MD5
bc0d2ef702db446712420b39a4e92250

SHA1
fbf03c92c01bd42022829b761b2bc1f6f6ccc810

SHA256
0c7271249d4e34ef9ca98d5c3b622096a7f08568cc88336ac6c0a2d89953e35c

SHA512
5c03d84075574f4eeeac5eceff55f590d9ffb289e20ab8a904ec79a221fa105b0f07979c4bf295a7f4e4e1ad81a4c6e6ec4f851f0c80e0c678d710e37b5840d8

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\lua\natives_universal.lua.tmp

Filesize
1.8MB

MD5
559cc98140d4eff894bdf2b3f6ce2a73

SHA1
1665ac2284d16bcc1fdd319b023b1d12f1cad343

SHA256
dba50975b85ca95d0c41d10ff885c48576aa938731dd56c06af03f46d046e267

SHA512
d96ee466b2b7bd7e44a72fac7ddc624b8882252ae9fd1a07c0dad084113a93061551d0bad6b0898a1638d2688ee599dd84b050c14473807986b3e697511a6d66

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\v8\natives_universal.d.ts.tmp

Filesize
2.1MB

MD5
c3d94830b2a220533e08ffcc9d44974f

SHA1
388ff56c07acfc78d22608406fdfc9d0467cd228

SHA256
30f48ffe2637e8f4fcebb8dbf30f6207923755336d8f5568ba578300b03a3418

SHA512
62464defcd58e956a7c2a98380a7b9397d19f93f9f3cc61d5fda0cf564becf41f6c5f89eaba9d516840f9f8a043a98e09226ee5193bd1e7ab0e5c3d6bf8ddc12

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\v8\natives_universal.js.tmp

Filesize
1.9MB

MD5
681d1b756761d9c7409b072884a8edce

SHA1
08a14e48347f3bef0bd95aa66099b62b67fa07f4

SHA256
51f19f2031f8213ae5a2502b19bb8e60ce42d37da066704c41c1bc9d6f85d387

SHA512
9568f50550b8352cfff31ca36fd585b704145beda629421d337b803d0df35b8658ba2a4b9e3908c66d363a3414d989ec321da6f1e21ff1d48e92cabd393fab63

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\desktop.ini

Filesize
157B

MD5
f9d948aa9426cb1a2a82e651b81a1912

SHA1
2d496caeef3b0bff6b91b99e58736cea51366348

SHA256
b1fe21f251cf7875783ea162ef86c2a5b5022a1c5157bbb7972b6b34e14ec08a

SHA512
a962fae3853f43e4a8e2b33aa5f51a917673d76648845dffcc32037c25cb3f300e4c4fc3ea633bf78b714449dbda84416e41cc16256373c170fb82d8485e3369

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\14f44c8a-9337-4f02-b331-87b887af0fd4.tmp

Filesize
261KB

MD5
a6167bf588a8e7c9a2221b6a51c6ddab

SHA1
bc3018fec3c4f017da50ae7d768f141220cfb615

SHA256
0bf8f1379f2935015c41360cd5e268ff03f96b0855c208e3a5ce0f67008055e1

SHA512
3ad153eef22d2440a62a823bd32e3f5336e3c3cf497c35f95b768b113e30452b507f5c527aa7ca044ade66f0b582babffc54fc835f708102b56555d2c0fac26c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\179c204c-39df-48e9-aefa-75e45508430d.tmp

Filesize
16KB

MD5
5803af4b0921d241d3243dc396f9521e

SHA1
0be6cf21c9e46dad969e50e138854622604ed093

SHA256
7ef1cdbefc936e5d0684d3cda469489fc19359b336e4f5a62f1163603a6a3538

SHA512
fb5ea35d7445cf045df098846a4468c0d68795461008d54ec2138dc4de3b5e462546448cead1bb852f5b39cde637072719d0a3444650233a9e30e2d3fde494f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
05c0bf50f9c4e27f4e23e781b51b6533

SHA1
5862415fd5015f1e1ddf6d7221583673dc561c6c

SHA256
c50c743d47e43fba15f1187f433c3a9fe34e17c5bed363e54e2e097cbdda101e

SHA512
6a6184633dc5808c9b18d072e3a0f871ae8bad8d42a119736497b14b527c2023224b36877637c4f5c428ffdd8df09c02f84d1dbae7a18ec1c50255e1b3e8c363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
1f91cc4b3a368c279ba545eeeeaa52ce

SHA1
816f10f8ff7cd942c65530c405286467f697bf20

SHA256
24af23ff937c8d398c7e03d6f93d5d3f6419f59773f14524b53016036974bde1

SHA512
fd5229b007775d094960037d6ef98c162bb3250aa5b238656f5c3c5bcfc0cb00b87f4dc58db5cac0531d09893a5e8c5d9c8c618dfd096471f8b933edc8035a0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f7fe815b62106c252730e58903e02a27

SHA1
70d46a371ea798a15016cae436bc141eaf53f8d2

SHA256
d299d34c21bff0ac071185de5ff3e6f4906d8cdfbea70a2989dacaacd76ea068

SHA512
9d7d4aa9d9576e4933c8ffee94517248f6ef7afc46bcb4e63c0243890e98a29b1cb96248a869350c6e34d65feef275842c83c4f11504c3bd97bab91aceae5c15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
a256ed437371c740436275541c6b1e67

SHA1
a77fb860ef9e6c2a7edaefa8eb3eef262a8abc87

SHA256
ba845234209f533b9edfb325220a41afa69a955f5ac2f7d23b8f61f42b0845fc

SHA512
951aa33589448b82f4ac8646c40c50a3a4bcf6ffd2300ed9a8fc9a805a33e2499ee0b24a5c40d58405da3945a980953583f63f7e8fea083869d81336660d9d3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
79bb636a77cf932ae4f8de6b1296beb3

SHA1
e37c66d0e4a14d84677f7e11a0bda303de2f996a

SHA256
1bb10fdfb16fdfd03d1c732ec12f7a446745d12370dbe01bc2d46c2b3be4750d

SHA512
83ff549b8e81b36a759e429e9e9b7f8c47356851a61b4e6678ffdfbaec8b09e55104e51ffa7d93a66d28f9e3a5c5d8be6abd6fc660d752278d8870a3038ddd36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c994823571e7fcdb34592537054434d2

SHA1
800fbccb5784d4da422ac175e3ade2d6901b80a3

SHA256
14ed729b62a215d04d2e00a2a4bcbf8dc71deda4c95bcab0532e7305d46c25dc

SHA512
a02279b85a99e4c0a82e67b7426b40b1cf3b4259d2a97258993cf9f1468fb103677a40afbedc5490da7f3990ee4539bf41a7ca8458f2a3bdbf8f91800fbb0bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
da694dc22f40c964ad0b806a969655aa

SHA1
290bfa038296a4063a68b320cc89e94d25b7cd57

SHA256
6296925b25fcafa4e70c6c9028fcf8f0bc9ba812b7a76a8dee2383ddea6b93d2

SHA512
07d740bf7d6eeef88700df9604b549526ade511710c60d2b545712883046a7d88411adb5a2cff65a467467b15600389e6dd5619b2a5e66fb8680226b263aef7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0c4d53bafacc959af4a640a3e2fd2307

SHA1
e886b8fec27e461f6d2a47d3bae2bf6a2441424b

SHA256
178d6656a0b2f3b0f962d999b47062b0c51360082a5df979bc4253b45ebcc6d7

SHA512
1cd30c5da23e7905a84db7dea773dfe1d6fab0384921c37af127bc3b52148334e28acb6bfa0a443e3644d0f11a62ee39f1495ee9a523410cc924d46945556467

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
79a1f4b1265b71b4638ee2be10e9d4b2

SHA1
66f0d14fd79eee67af6dfb0b3554e3c3bfe43b92

SHA256
756cd458e01df37e57e5f8fc72fcf71b40e9c9fd35320d83ba19ae41b56d10c0

SHA512
b25565d819b4a295f992d6465720d7bff9c6970626c413ce134f9f74fd6462b7a868b9ecb20d1dda044746f4d64221d9d9c28756eeadcd710b85a525688ad5d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f09959f90834fa9b53637c4e39734577

SHA1
9023b920938e8ef5ffabc76129486437cbbb40f1

SHA256
175576c0a9f786574ebf8fdccc1ef3a432ca2a9016049a1451a85c3f90070a1b

SHA512
c390bf8ebfff09c3f90ec56c8a534c19387c5c2693c830b6a1a211dc180e380cad691b39bfed8ece150c831bf8350faa7701c67e1865eadb712c03d6725bc499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
170607c75928ce4e0b339c3f8867396f

SHA1
23616c09dca5dcf4cb9adee37b0ec19aee1e73c6

SHA256
ee0895b03148b28c02fc51c2378d743b7de661654e6d529f78cb161b93abc4d3

SHA512
67380f9f9770af386ff8173495b7b3a84f2702301d0055b4760dae0c11e54acb4e3e5f9a8cd8ce3212eed1ec33c13e31caa7fcf665ac04b1a33092fb70def1be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
d07ac4515a2559a7a33023a2cd19acfc

SHA1
5e4d448094a7cf18aad1e08159549028f3022836

SHA256
7555d1652f71cb31ea2085d84599d4271d637ec84438db6bf42d6882c91b68a6

SHA512
0f8ecf7f26ef88dd0fc288a572b52cdbf2f4a691503b665df1c47bb3b81e93d81a44d2d1497fb81a7c8b44821e74269707ce27cc238aca0aa7697152068a8fbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
604784d2ceca8ad927c4f0137011cbd3

SHA1
ceca319a1478dccdfcc64f35514ca15ecc3d1ab4

SHA256
7f2055d11f0f2d2bf4a36939e2ada379d7041112c14db7f9b40c939b9ca3faec

SHA512
f77923c9a987805b36a7a49a09a36814ebc89cd2d9362c35c363d4eee650f8675267d91a5069988445bb8953a5c1130cba11921580191086fbbc0a454810198a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58a17b.TMP

Filesize
82KB

MD5
669649cd74c842c31f904865f8b586a5

SHA1
2580372ee280d9428a237fadd3f928d093aab6ae

SHA256
967727ae9c06e7ef9bcfb82a0687db080988cd0ea0303daa7c7e1c68c817cfa8

SHA512
094bdb52d7651c89fd7488ffae39cca3cda4cda204f2d03209feb93b5bb407c4ae0af8e29e5f88a7ccec2a8f51fd56ea1960f0868f8273141ed86fdab2c5265e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pooke\Pooke\save.txt

Filesize
36B

MD5
22ee21e84593ca6a6883e23c3425fb35

SHA1
d550b7047c186af0666b1dade1d7a939112bd4d5

SHA256
4e0b2f40e0eaf8d292f7326be80599d525d48be4a94d15dcca47cf2b5849e478

SHA512
fe1c617c60696be0450a2883c44f335a198b40a62753541829b3e9a11a26d10d27b502244f69a89742665357bc29665c6f652b12cb154068ff755aa0d4d8af9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FiveM.lnk

Filesize
2KB

MD5
633d883b0e29026bf55a7d9b9b089fcb

SHA1
3e420cd79109473913030545cfd2584feccf02ca

SHA256
323b189de581fd16e551bf26af28e485dd50ef35eadd287de6753087fa73e23f

SHA512
8002d09e68d84a98b1f193925ebe5593e75b2dc796f34f0eac9f3f4099c645de1455df3c79a6d28d191bcf43696c6be586412515ba678ec3e41b4f0a30de417d

Download Submit
C:\Users\Admin\Downloads\CitizenFX.exe.new

Filesize
5.0MB

MD5
b85b0aa54aec3edcb4ebac2c3a32bc26

SHA1
46b008cce9250dc2f96a1d1cb9b681ac4528866d

SHA256
75d805a8d5ec7281de40c9cbe31445a3ad0f0fe73852c55d06f4dcfefa4a9e4d

SHA512
f14fc451b5e954934521878e31b2231e154eccc380a68d6742531cba1edd5405ca307d29b244d8a703c87115c8393a26620f298dca1571e08e4aa11edf8744d9

Download Submit
C:\Users\Admin\Downloads\FiveM.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 880544.crdownload

Filesize
5.0MB

MD5
e8c3fd1b35507fa301fac9367f28757f

SHA1
fd03919c9370248a62c9d540f6cd9fbeccac09f6

SHA256
05a99a0067ddde35a8b6c92721fc8ee058ffe1cee9a9dceb2bafb1a8e2d92368

SHA512
7f4f60aa0978a5f3f49cac744c11b6fe410cf32ec8dcd83fd6ad2120e9830b242b6f6a758c03ca76e8ffa800dbfec1b92f759c176f829f94492ed81e65befcdd

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit