File name:

FiveM Mod Menu Pro 1.2.exe

Full analysis: https://app.any.run/tasks/5ed5e22f-3726-4ffb-aad9-6a5bd5058eda
Verdict: Malicious activity
Analysis date: January 20, 2022, 21:47:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B0331B9A81DB9603C8EBBF34221BC6CE

SHA1:

48E601134C0AC2CD45C0DD1CE7D549215F961468

SHA256:

74835358607F39D17340170AD126EEB486BD657BBB9AF3BD94C73C707472C74D

SSDEEP:

196608:bJVRvQfSqTumlUtM+BFGUII0A8uY5T7fp02:btiJamljl60duAb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • FiveM Mod Menu Pro 1.2.exe (PID: 2828)

    • Loads dropped or rewritten executable

      • FiveM Mod Menu Pro 1.2.exe (PID: 4088)

  • SUSPICIOUS

    • Checks supported languages

      • FiveM Mod Menu Pro 1.2.exe (PID: 2828)
      • FiveM Mod Menu Pro 1.2.exe (PID: 4088)

    • Reads the computer name

      • FiveM Mod Menu Pro 1.2.exe (PID: 2828)

    • Drops a file that was compiled in debug mode

      • FiveM Mod Menu Pro 1.2.exe (PID: 2828)

    • Executable content was dropped or overwritten

      • FiveM Mod Menu Pro 1.2.exe (PID: 2828)

    • Application launched itself

      • FiveM Mod Menu Pro 1.2.exe (PID: 2828)

    • Loads Python modules

      • FiveM Mod Menu Pro 1.2.exe (PID: 4088)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • FiveM Mod Menu Pro 1.2.exe (PID: 2828)

    • Checks supported languages

      • explorer.exe (PID: 3740)

    • Manual execution by user

      • explorer.exe (PID: 3740)

    • Reads the computer name

      • explorer.exe (PID: 3740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x997c
UninitializedDataSize: -
InitializedDataSize: 173056
CodeSize: 136192
LinkerVersion: 14.29
PEType: PE32
TimeStamp: 2022:01:20 00:10:46+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jan-2022 23:10:46

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 19-Jan-2022 23:10:46
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00021248
0x00021400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.63065
.rdata
0x00023000
0x0000CEA8
0x0000D000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.97377
.data
0x00030000
0x0000F874
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.67626
.rsrc
0x00040000
0x0001AB7C
0x0001AC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.21718
.reloc
0x0005B000
0x00001AFC
0x00001C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.57465

Resources

Title
Entropy
Size
Codepage
Language
Type
0
2.79908
90
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON
1
5.28625
1417
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
2
3.26101
67624
Latin 1 / Western European
UNKNOWN
RT_ICON
3
3.84096
16936
Latin 1 / Western European
UNKNOWN
RT_ICON
4
4.18241
9640
Latin 1 / Western European
UNKNOWN
RT_ICON
5
4.45426
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
6
4.9835
1128
Latin 1 / Western European
UNKNOWN
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start fivem mod menu pro 1.2.exe fivem mod menu pro 1.2.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2828"C:\Users\admin\AppData\Local\Temp\FiveM Mod Menu Pro 1.2.exe" C:\Users\admin\AppData\Local\Temp\FiveM Mod Menu Pro 1.2.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\fivem mod menu pro 1.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3740"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
4088"C:\Users\admin\AppData\Local\Temp\FiveM Mod Menu Pro 1.2.exe" C:\Users\admin\AppData\Local\Temp\FiveM Mod Menu Pro 1.2.exe
FiveM Mod Menu Pro 1.2.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\fivem mod menu pro 1.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
Total events
236
Read events
236
Write events
0
Delete events
0

Modification events

No data
Executable files
23
Suspicious files
1
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
2828FiveM Mod Menu Pro 1.2.exeC:\Users\admin\AppData\Local\Temp\_MEI28282\_cffi_backend.cp38-win32.pydexecutable
MD5:
SHA256:
2828FiveM Mod Menu Pro 1.2.exeC:\Users\admin\AppData\Local\Temp\_MEI28282\_ctypes.pydexecutable
MD5:
SHA256:
2828FiveM Mod Menu Pro 1.2.exeC:\Users\admin\AppData\Local\Temp\_MEI28282\_asyncio.pydexecutable
MD5:
SHA256:
2828FiveM Mod Menu Pro 1.2.exeC:\Users\admin\AppData\Local\Temp\_MEI28282\_bz2.pydexecutable
MD5:
SHA256:
2828FiveM Mod Menu Pro 1.2.exeC:\Users\admin\AppData\Local\Temp\_MEI28282\_decimal.pydexecutable
MD5:
SHA256:
2828FiveM Mod Menu Pro 1.2.exeC:\Users\admin\AppData\Local\Temp\_MEI28282\_hashlib.pydexecutable
MD5:
SHA256:
2828FiveM Mod Menu Pro 1.2.exeC:\Users\admin\AppData\Local\Temp\_MEI28282\_lzma.pydexecutable
MD5:
SHA256:
2828FiveM Mod Menu Pro 1.2.exeC:\Users\admin\AppData\Local\Temp\_MEI28282\_multiprocessing.pydexecutable
MD5:
SHA256:
2828FiveM Mod Menu Pro 1.2.exeC:\Users\admin\AppData\Local\Temp\_MEI28282\_queue.pydexecutable
MD5:
SHA256:
2828FiveM Mod Menu Pro 1.2.exeC:\Users\admin\AppData\Local\Temp\_MEI28282\_overlapped.pydexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
0
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4088
FiveM Mod Menu Pro 1.2.exe
GET
51.79.67.169:80
http://51.79.67.169/xd.exe
GB
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4088
FiveM Mod Menu Pro 1.2.exe
51.79.67.169:80
GB
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
4088
FiveM Mod Menu Pro 1.2.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
4088
FiveM Mod Menu Pro 1.2.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
4088
FiveM Mod Menu Pro 1.2.exe
Misc activity
ET INFO Packed Executable Download
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FiveM Mod Menu Pro 1.2.exe