File name:

Luxury Crypter_18.8.1.1_Cracked.exe

Full analysis: https://app.any.run/tasks/c1b22627-890f-4af3-857e-595ca861c1b2
Verdict: Malicious activity
Analysis date: September 13, 2024, 20:37:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xor-url
generic
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

07EDD8C858453717B12394320DB59F01

SHA1:

4270F53F550ADC6D2E6FAA3E7A8A43BCCE5AACB6

SHA256:

74D59D15069A4A1E6F0C349651873F0B88DD303B8A60C7C86AF3C3A8DF02EC23

SSDEEP:

98304:ACUoGc1Er10m+B2hsc4DRv1cIDck84vxHDr2Z7AWlz372ig9g0cUbhw50Og8JUv4:56DZGcadewYg0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • Luxury Crypter_18.8.1.1_Cracked.exe (PID: 7052)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • Luxury Crypter_18.8.1.1_Cracked.exe (PID: 7052)

    • Executable content was dropped or overwritten

      • Luxury Crypter_18.8.1.1_Cracked.exe (PID: 7052)

  • INFO

    • Checks supported languages

      • Luxury Crypter_18.8.1.1_Cracked.exe (PID: 7052)

    • Create files in a temporary directory

      • Luxury Crypter_18.8.1.1_Cracked.exe (PID: 7052)

    • Reads the computer name

      • Luxury Crypter_18.8.1.1_Cracked.exe (PID: 7052)

    • Reads the machine GUID from the registry

      • Luxury Crypter_18.8.1.1_Cracked.exe (PID: 7052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(7052) Luxury Crypter_18.8.1.1_Cracked.exe
Decrypted-URLs (5)http://confuser.codeplex.com
http://scripts.sil.org/OFLMulishRomanWeightItalicRoman
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLMulishRomanWeightItalicRoman
http://www.sansoxygen.comThis
https://github.com/googlefonts/mulish)MulishBold3.603;NONE;Mulish-BoldMulish
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2076:12:07 05:54:28+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 80
CodeSize: 8643072
InitializedDataSize: 179200
UninitializedDataSize: -
EntryPoint: 0x8400be
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 18.8.1.1
ProductVersionNumber: 18.8.1.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Luxury Shield (Crypter)
FileVersion: 18.8.1.1
InternalName: Luxury Crypter.exe
LegalCopyright: Luxury Shield (Crypter) Copyright © 2019 - 2023
LegalTrademarks: -
OriginalFileName: Luxury Crypter.exe
ProductName: Luxury Shield (Crypter)
ProductVersion: 18.8.1.1
AssemblyVersion: 18.8.1.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XOR-URL luxury crypter_18.8.1.1_cracked.exe

Process information

PID
CMD
Path
Indicators
Parent process
7052"C:\Users\admin\AppData\Local\Temp\Luxury Crypter_18.8.1.1_Cracked.exe" C:\Users\admin\AppData\Local\Temp\Luxury Crypter_18.8.1.1_Cracked.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Luxury Shield (Crypter)
Exit code:
1
Version:
18.8.1.1
Modules
Images
c:\users\admin\appdata\local\temp\luxury crypter_18.8.1.1_cracked.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
xor-url
(PID) Process(7052) Luxury Crypter_18.8.1.1_Cracked.exe
Decrypted-URLs (5)http://confuser.codeplex.com
http://scripts.sil.org/OFLMulishRomanWeightItalicRoman
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLMulishRomanWeightItalicRoman
http://www.sansoxygen.comThis
https://github.com/googlefonts/mulish)MulishBold3.603;NONE;Mulish-BoldMulish
Total events
300
Read events
300
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7052Luxury Crypter_18.8.1.1_Cracked.exeC:\Users\admin\AppData\Local\Temp\Luxury.dllexecutable
MD5:D1BC71BCE98AA4F7DCF4C59EAE2B3307
SHA256:7BC49E595E3D5611C62A040FC6BE5129C78E8DB02A79E30A0261883D2C3C06A3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
30
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7072
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
1776
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
6664
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
6664
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
407 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7072
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6276
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7072
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1776
svchost.exe
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1776
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.206
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.68
  • 20.190.160.17
  • 40.126.32.138
  • 40.126.32.74
  • 40.126.32.72
  • 40.126.32.76
  • 40.126.32.136
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.166.126.56
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Luxury Crypter_18.8.1.1_Cracked.exe