File name:

NoEscape.zip

Full analysis: https://app.any.run/tasks/ab96b906-d645-4f2a-989c-d4ff6366a14f
Verdict: Malicious activity
Analysis date: July 31, 2024, 09:08:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

EF4FDF65FC90BFDA8D1D2AE6D20AFF60

SHA1:

9431227836440C78F12BFB2CB3247D59F4D4640B

SHA256:

47F6D3A11FFD015413FFB96432EC1F980FBA5DD084990DD61A00342C5F6DA7F8

SSDEEP:

12288:1PQuO1JLx2auoA82iqOxdOc7XPkmpOw6mqc5m937hnTMktj1H:1PVqJx2auYqw7dOw6mql3nNBd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables the Shutdown in the Start menu

      • NoEscape.exe (PID: 6960)

    • UAC/LUA settings modification

      • NoEscape.exe (PID: 6960)

    • Changes the login/logoff helper path in the registry

      • NoEscape.exe (PID: 6960)

    • Drops the executable file immediately after the start

      • NoEscape.exe (PID: 6960)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • NoEscape.exe (PID: 2960)
      • ShellExperienceHost.exe (PID: 2464)

    • Reads the date of Windows installation

      • NoEscape.exe (PID: 2960)

    • Application launched itself

      • NoEscape.exe (PID: 2960)

    • Executable content was dropped or overwritten

      • NoEscape.exe (PID: 6960)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4204)

    • Likely accesses (executes) a file from the Public directory

      • notepad++.exe (PID: 6704)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6688)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6688)

    • Manual execution by a user

      • NoEscape.exe (PID: 2960)
      • notepad++.exe (PID: 6704)

    • Checks supported languages

      • NoEscape.exe (PID: 2960)
      • NoEscape.exe (PID: 6960)
      • ShellExperienceHost.exe (PID: 2464)
      • PLUGScheduler.exe (PID: 4204)

    • Reads the computer name

      • NoEscape.exe (PID: 2960)
      • NoEscape.exe (PID: 6960)
      • ShellExperienceHost.exe (PID: 2464)
      • PLUGScheduler.exe (PID: 4204)

    • Process checks computer location settings

      • NoEscape.exe (PID: 2960)

    • Creates files in the program directory

      • NoEscape.exe (PID: 6960)
      • PLUGScheduler.exe (PID: 4204)

    • Creates files or folders in the user directory

      • NoEscape.exe (PID: 6960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2020:11:29 12:11:58
ZipCRC: 0x52a4a52a
ZipCompressedSize: 631426
ZipUncompressedSize: 682655
ZipFileName: NoEscape.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
246
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe noescape.exe no specs noescape.exe shellexperiencehost.exe no specs plugscheduler.exe no specs notepad++.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2464"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
2960"C:\Users\admin\Desktop\NoEscape.exe" C:\Users\admin\Desktop\NoEscape.exeexplorer.exe
User:
admin
Company:
Endermanch
Integrity Level:
MEDIUM
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
Modules
Images
c:\users\admin\desktop\noescape.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4204"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
6688"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\NoEscape.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6704"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Public\Desktop\໖ॵྎ∀⏲ᲐֽⰋ૜ᑂỢᬁⳌ൤⬰♮ᮦވὉ⾋ẞᄫ⃆ᑟ"C:\Program Files\Notepad++\notepad++.exeexplorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
HIGH
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6960"C:\Users\admin\Desktop\NoEscape.exe" C:\Users\admin\Desktop\NoEscape.exe
NoEscape.exe
User:
admin
Company:
Endermanch
Integrity Level:
HIGH
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
Modules
Images
c:\users\admin\desktop\noescape.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
6 296
Read events
6 254
Write events
42
Delete events
0

Modification events

(PID) Process:(6688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\NoEscape.zip
(PID) Process:(6688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9000000E3000000A9040000CC020000
Executable files
2
Suspicious files
191
Text files
12
Unknown types
6

Dropped files

PID
Process
Filename
Type
6688WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6688.24265\NoEscape.exeexecutable
MD5:989AE3D195203B323AA2B3ADF04E9833
SHA256:D30D7676A3B4C91B77D403F81748EBF6B8824749DB5F860E114A8A204BCA5B8F
6960NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user-32.pngimage
MD5:5D572D54E293ACD90D5B8AD6036333DA
SHA256:4810DC6C101937DDE12D4581DE81E608EA144761D1307779DC6A256872330EDE
6960NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user-40.pngimage
MD5:D8E22EF10BD7AB65F56220D2845D6A94
SHA256:B115A4548AD8E9C7CADB707A0FF79FCD55D9D900EEFA7A922CA50C85C4D3CA1D
6960NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user.pngimage
MD5:96F17C361A25164E71716D5BB56CB3D8
SHA256:1025314EF977B5D07041B8B73E4ADBEA779E5E06096C3C66BD1F06FBBBA7FD1C
6960NoEscape.exeC:\Users\Public\Desktop\ང௨ዐ⸈३⡌❛”⣸ᤤ۲ఽᵯኵᏴἭआ⧊इᶅ∆ᚌୠbinary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
6960NoEscape.exeC:\Users\Public\Desktop\⊱⦹⸎᚜ᑡᄱᎿ᬴ࡊⓈ⬹ᔠࠆᱞệጒপೢ⤤☧ޑ⳿ዔḧᩑப⻨ᖚ⍘binary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
6960NoEscape.exeC:\Users\Public\Desktop\⟍֬ᔹૹⰻਇ⿆⛂ެᵬ⩦᲼い⁠ᝍરᇘ༎▓౸ᱳbinary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
6960NoEscape.exeC:\Users\Public\Desktop\ી৉ഖᮟᴌው჋ੑ᯸ఉ⦢ዛᯡଃ⮞ჩ᠗binary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
6960NoEscape.exeC:\Users\Public\Desktop\≶↘࢑Ἂ⤺〺⮡❋᱐␒߀⚂⓻޾⪇࣍โ✭binary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
6960NoEscape.exeC:\Users\Public\Desktop\ፀૹ⺕ಯښήޫଲ↞ચ☌ଯᖛ႘ⶬỌ♓⮒⭱binary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
58
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6552
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4364
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6600
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3000
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2536
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4484
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5336
SearchApp.exe
92.123.104.40:443
www.bing.com
Akamai International B.V.
DE
unknown
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4364
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.bing.com
  • 92.123.104.40
  • 92.123.104.41
  • 92.123.104.42
  • 92.123.104.36
  • 92.123.104.37
  • 92.123.104.43
  • 92.123.104.38
  • 92.123.104.45
  • 92.123.104.44
  • 92.123.104.34
  • 92.123.104.35
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.74
  • 40.126.32.138
  • 20.190.160.20
  • 20.190.160.14
  • 20.190.160.17
  • 20.190.159.68
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.64
  • 20.190.159.75
  • 20.190.159.73
  • 20.190.159.2
  • 20.190.159.4
whitelisted
th.bing.com
  • 92.123.104.65
  • 92.123.104.60
  • 92.123.104.62
  • 92.123.104.61
  • 92.123.104.64
  • 92.123.104.56
  • 92.123.104.66
  • 92.123.104.58
  • 92.123.104.59
  • 92.123.104.38
  • 92.123.104.37
  • 92.123.104.40
  • 92.123.104.34
  • 92.123.104.42
  • 92.123.104.41
  • 92.123.104.35
  • 92.123.104.43
  • 92.123.104.36
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
self.events.data.microsoft.com
  • 20.189.173.12
  • 51.104.15.253
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NoEscape.zip