File name:

Movavi Pro crack.exe.exe

Full analysis: https://app.any.run/tasks/7b2bb2bf-f833-47b8-b851-fc27f9ce7c19
Verdict: Malicious activity
Threats:

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Malware Trends Tracker     >>>
Analysis date: January 20, 2024, 10:16:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
redline
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

29320C0F3E5CA5783F3BA01F0598FD79

SHA1:

B3E85C4A546E4ABA2077953F1573A5AA99DB5D91

SHA256:

7F6C6DCA1F003023B41E6FD1E0204E5ED08AF2F68D87109856D0660CE42176DA

SSDEEP:

6144:V1iYKJmJ4L6yZ99KO71ByeTn1V6XBGwTvnifmS/C9zQ19GYGMgesjIOIldiYTq:V1iYeLz9K3N0C929GYGMgesTIlNq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • Movavi Pro crack.exe.exe (PID: 120)

    • Drops the executable file immediately after the start

      • Movavi Pro crack.exe.exe (PID: 120)

    • Create files in the Startup directory

      • Movavi Pro crack.exe.exe (PID: 120)

    • REDLINE has been detected (SURICATA)

      • Movavi Pro crack.exe.exe (PID: 120)

    • Actions looks like stealing of personal data

      • Movavi Pro crack.exe.exe (PID: 120)

  • SUSPICIOUS

    • Searches for installed software

      • Movavi Pro crack.exe.exe (PID: 120)

    • Reads browser cookies

      • Movavi Pro crack.exe.exe (PID: 120)

    • Connects to unusual port

      • Movavi Pro crack.exe.exe (PID: 120)

    • Executable content was dropped or overwritten

      • Movavi Pro crack.exe.exe (PID: 120)

    • Reads the Internet Settings

      • Movavi Pro crack.exe.exe (PID: 120)

  • INFO

    • Checks supported languages

      • Movavi Pro crack.exe.exe (PID: 120)
      • qemu-ga.exe (PID: 1504)
      • wmpnscfg.exe (PID: 572)

    • Reads product name

      • Movavi Pro crack.exe.exe (PID: 120)

    • Reads the computer name

      • Movavi Pro crack.exe.exe (PID: 120)
      • qemu-ga.exe (PID: 1504)
      • wmpnscfg.exe (PID: 572)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 572)

    • Reads Environment values

      • Movavi Pro crack.exe.exe (PID: 120)

    • Reads the machine GUID from the registry

      • Movavi Pro crack.exe.exe (PID: 120)

    • Creates files or folders in the user directory

      • Movavi Pro crack.exe.exe (PID: 120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:17 12:28:57+01:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 34304
InitializedDataSize: 349696
UninitializedDataSize: -
EntryPoint: 0x13f6
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows command line
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REDLINE movavi pro crack.exe.exe qemu-ga.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Users\admin\AppData\Local\Temp\Movavi Pro crack.exe.exe" C:\Users\admin\AppData\Local\Temp\Movavi Pro crack.exe.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\movavi pro crack.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
572"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1504"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeMovavi Pro crack.exe.exe
User:
admin
Integrity Level:
MEDIUM
Description:
qemu-ga
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\qemu-ga.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
3 452
Read events
3 444
Write events
8
Delete events
0

Modification events

(PID) Process:(120) Movavi Pro crack.exe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(120) Movavi Pro crack.exe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(120) Movavi Pro crack.exe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(120) Movavi Pro crack.exe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
120Movavi Pro crack.exe.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeexecutable
MD5:A5CE3ABA68BDB438E98B1D0C70A3D95C
SHA256:9B860BE98A046EA97A7F67B006E0B1BC9AB7731DD2A0F3A9FD3D710F6C43278A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
5

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
120
Movavi Pro crack.exe.exe
82.115.223.55:8134
Partner LLC
RU
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
A Network Trojan was detected
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
A Network Trojan was detected
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
Successful Credential Theft Detected
SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt
Successful Credential Theft Detected
SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Movavi Pro crack.exe.exe