download:

/Sn8ow/NoEscape.exe_Virus/releases/tag/1.0.0

Full analysis: https://app.any.run/tasks/7ae14f6f-ef8b-480d-82a3-e9ffd1decafc
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 02:54:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
noescape
wiper
stealer
Indicators:
MIME: text/html
File info: HTML document, Unicode text, UTF-8 text, with very long lines (1616)
MD5:

5E55818C782401D0D98DC2148AADFDD3

SHA1:

34112FED1A333B58F9F704509850FC1C1A9FD288

SHA256:

6EEEC0C2C466099F68BDF66931D6420D9D4D460C08F5F54E04E39949E40AB2AC

SSDEEP:

3072:Lqz7DznSaLhQHgANLEZbOh2nczkmNUNF+rtCKSV1PHMvpZNscSV1PHMvp1p4pOLj:tXsi4pOL/saqkPV9FemLtcIDSsmwJ9Fv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NOESCAPE has been detected

      • NoEscape.exe (PID: 4548)

    • Disables the Shutdown in the Start menu

      • NoEscape.exe (PID: 4548)

    • Changes the login/logoff helper path in the registry

      • NoEscape.exe (PID: 4548)

    • UAC/LUA settings modification

      • NoEscape.exe (PID: 4548)

    • Actions looks like stealing of personal data

      • msedge.exe (PID: 6132)
      • msedge.exe (PID: 6120)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • NoEscape.exe (PID: 5252)
      • ShellExperienceHost.exe (PID: 6784)

    • Application launched itself

      • NoEscape.exe (PID: 5252)
      • msedge.exe (PID: 6132)
      • msedge.exe (PID: 6120)

    • Executable content was dropped or overwritten

      • NoEscape.exe (PID: 4548)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4404)

  • INFO

    • The sample compiled with english language support

      • firefox.exe (PID: 6932)
      • NoEscape.exe (PID: 4548)

    • Process checks computer location settings

      • NoEscape.exe (PID: 5252)
      • msedge.exe (PID: 6132)
      • msedge.exe (PID: 6120)

    • Application launched itself

      • firefox.exe (PID: 6912)
      • firefox.exe (PID: 6932)

    • The process uses the downloaded file

      • firefox.exe (PID: 6932)
      • NoEscape.exe (PID: 5252)
      • NoEscape.exe (PID: 4548)

    • Reads the computer name

      • NoEscape.exe (PID: 5252)
      • ShellExperienceHost.exe (PID: 6784)
      • NoEscape.exe (PID: 4548)
      • PLUGScheduler.exe (PID: 4404)
      • msedge.exe (PID: 6120)
      • msedge.exe (PID: 6132)

    • Manual execution by a user

      • firefox.exe (PID: 6912)
      • ctfmon.exe (PID: 4544)

    • Checks supported languages

      • NoEscape.exe (PID: 5252)
      • NoEscape.exe (PID: 4548)
      • ShellExperienceHost.exe (PID: 6784)
      • msedge.exe (PID: 6132)
      • PLUGScheduler.exe (PID: 4404)
      • msedge.exe (PID: 6120)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 6220)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 6932)

    • Creates files in the program directory

      • NoEscape.exe (PID: 4548)
      • PLUGScheduler.exe (PID: 4404)

    • Creates files or folders in the user directory

      • NoEscape.exe (PID: 4548)
      • msedge.exe (PID: 6132)
      • msedge.exe (PID: 6120)

    • Sends debugging messages

      • ShellExperienceHost.exe (PID: 6784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

EXIF

HTML

ColorScheme: light dark
ThemeColor: #1e2327
BrowserErrorsUrl: https://api.github.com/_private/browser/errors
BrowserStatsUrl: https://api.github.com/_private/browser/stats
TurboBodyClasses: logged-out env-production page-responsive
OctolyticsDimensionRepository_network_root_nwo: Sn8ow/NoEscape.exe_Virus
OctolyticsDimensionRepository_network_root_id: 381404847
OctolyticsDimensionRepository_is_fork: -
OctolyticsDimensionRepository_public:
OctolyticsDimensionRepository_nwo: Sn8ow/NoEscape.exe_Virus
OctolyticsDimensionRepository_id: 381404847
OctolyticsDimensionUser_login: Sn8ow
OctolyticsDimensionUser_id: 80784394
GoImport: github.com/Sn8ow/NoEscape.exe_Virus git https://github.com/Sn8ow/NoEscape.exe_Virus.git
TurboCacheControl: no-preview
HTTPEquivXPjaxJsVersion: d0c649996199db3d67ce2e127c5f7a5599550fcae7c412368a81d3d19739e75b
HTTPEquivXPjaxCssVersion: 47c04af5bd21cb61932edc9a6a9416d3e507aeef479f7c520e66545ab5133438
HTTPEquivXPjaxCspVersion: ace39c3b6632770952207593607e6e0be0db363435a8b877b1f96abe6430f345
HTTPEquivXPjaxVersion: 61af95f89d168f5aee1892142400788d24e0c89e85b4d3e75bac31e4bec0c49c
ExpectedHostname: github.com
Hostname: github.com
TwitterCreator: 8owSn
TwitterDescription: Latest Version
TwitterTitle: Release Original Version · Sn8ow/NoEscape.exe_Virus
TwitterCard: summary_large_image
TwitterSite: @github
TwitterImage: https://opengraph.githubassets.com/9273c2a963965e309b46a00d8af720a3d81dcc59737d783031d47fd6e64733f9/Sn8ow/NoEscape.exe_Virus/releases/tag/1.0.0
AppleItunesApp: app-id=1477376905, app-argument=https://github.com/Sn8ow/NoEscape.exe_Virus/releases/tag/1.0.0
Description: Free original NoEscape.exe virus download ! Contribute to Sn8ow/NoEscape.exe_Virus development by creating an account on GitHub.
Viewport: width=device-width
UserLogin: -
AnalyticsLocation: /<user-name>/<repo-name>/releases/show
OctolyticsUrl: https://collector.github.com/github/collect
GoogleSiteVerification: Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
GithubKeyboardShortcuts: repository,copilot
HovercardSubjectTag: repository:381404847
VisitorHmac: 91115fca90cb6858e2f243615ce027ce3d900af7e53b3a2dc46478c5ea21e2ff
VisitorPayload: eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJGOTU0OjFBM0ExNDpGREI0NkU6MTA0RkNENTo2NzVDRjM1NSIsInZpc2l0b3JfaWQiOiI2MDAwODk4MDg4MzE1NDUwMTk3IiwicmVnaW9uX2VkZ2UiOiJmcmEiLCJyZWdpb25fcmVuZGVyIjoiZnJhIn0=
HtmlSafeNonce: 5fe2318f284881f11b8dc03b14d07cae132a186ccacaa598e0fcfbd68030abbf
RequestId: F954:1A3A14:FDB46E:104FCD5:675CF355
CurrentCatalogServiceHash: 6f13f31f798a93a6b08d3be0727120e9af35851fac7b9c620d6cf9a70068c136
RouteAction: show
RouteController: releases
RoutePattern: /:user_id/:repository/releases/tag/*name
Title: Release Original Version · Sn8ow/NoEscape.exe_Virus · GitHub
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
277
Monitored processes
26
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start openwith.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs noescape.exe no specs #NOESCAPE noescape.exe shellexperiencehost.exe no specs plugscheduler.exe no specs ctfmon.exe no specs msedge.exe msedge.exe msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6220"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\AppData\Local\Temp\1.0.0C:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6912"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
6932"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
7056"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1912 -parentBuildID 20240213221259 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 31031 -prefMapSize 244583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c22051ce-18c5-4a00-a4b0-43efce5f6d76} 6932 "\\.\pipe\gecko-crash-server-pipe.6932" 1ebf2ef0c10 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
7100"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2152 -parentBuildID 20240213221259 -prefsHandle 2144 -prefMapHandle 2132 -prefsLen 31031 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5cb5c3a-3384-4a29-80ff-d5d8a2f1fcb6} 6932 "\\.\pipe\gecko-crash-server-pipe.6932" 1ebe5f80910 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140_1.dll
2136"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2788 -childID 1 -isForBrowser -prefsHandle 2284 -prefMapHandle 2784 -prefsLen 31447 -prefMapSize 244583 -jsInitHandle 1536 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e8e1b4c-7901-4d58-a3b9-504e0b255ca6} 6932 "\\.\pipe\gecko-crash-server-pipe.6932" 1ebf7c43f50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
4244"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4312 -childID 2 -isForBrowser -prefsHandle 4300 -prefMapHandle 4296 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1536 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2a98b55-dabc-4773-b1cf-43f4507e83d0} 6932 "\\.\pipe\gecko-crash-server-pipe.6932" 1ebfa127d90 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1140"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4800 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4904 -prefMapHandle 4680 -prefsLen 36588 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c029678-9fd9-4153-af7f-a2d03ce06f43} 6932 "\\.\pipe\gecko-crash-server-pipe.6932" 1ebfbc75110 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
6648"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5112 -childID 3 -isForBrowser -prefsHandle 5084 -prefMapHandle 5040 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1536 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5d58dbd-3a6d-4da5-ba63-acc5ef861b2a} 6932 "\\.\pipe\gecko-crash-server-pipe.6932" 1ebfb31ea10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
6804"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4856 -childID 4 -isForBrowser -prefsHandle 4704 -prefMapHandle 4888 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1536 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6ee6fa1-20bf-422c-8ffc-784f852f2cf4} 6932 "\\.\pipe\gecko-crash-server-pipe.6932" 1ebfb31e4d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
28 967
Read events
28 940
Write events
26
Delete events
1

Modification events

(PID) Process:(6932) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(6932) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:AutoAdminLogon
Value:
0
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:DisableCAD
Value:
1
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:shutdownwithoutlogon
Value:
0
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:UseDefaultTile
Value:
1
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:DisableLogonBackgroundImage
Value:
1
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layout
Operation:writeName:Scancode Map
Value:
0000000000000000710000000000010000003B0000003C0000003D0000003E0000003F0000004000000041000000420000004300000044000000570000005800000037E000004600000052E0000047E0000049E0000051E000004FE0000053E0000048E000004BE0000050E000004DE00000520000005300000051000000500000004F0000004B0000004C0000004D0000004E0000004900000048000000470000004500000035E00000370000004A0000002900000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000F0000001000000011000000130000001600000017000000190000001A0000001B0000002B000000280000002700000026000000250000002400000022000000210000003A0000002A0000001D0000005BE00000380000002C0000002D0000002E0000002F0000003000000032000000330000003400000035000000360000001DE000005DE000005CE0000038E000005900000065E0000021E000006BE000005EE000005FE000006AE0000069E0000068E0000067E0000032E000006CE000006DE0000066E0000020E000002EE000002CE0000030E0000019E0000010E0000024E0000022E000000000
(PID) Process:(4548) NoEscape.exeKey:HKEY_CURRENT_USER\Control Panel\Mouse
Operation:writeName:SwapMouseButtons
Value:
1
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
Executable files
5
Suspicious files
453
Text files
47
Unknown types
1

Dropped files

PID
Process
Filename
Type
6932firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
6932firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.tmpbinary
MD5:3B156E12141F8CBCE9D60CDCE2077617
SHA256:E6287E44B44ABEA20E1B2E3F415D22B9E5E5FBBC155AD9DADBABA63951B2AF6F
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\SiteSecurityServiceState.binbinary
MD5:6D6AAFC073C50567683811499BF73F8B
SHA256:D4405CD157645470B9B8E1F74335BF1783F9E68EBCB7649316B89F073580541E
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
171
DNS requests
200
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6932
firefox.exe
POST
200
184.24.77.54:80
http://r11.o.lencr.org/
unknown
whitelisted
6932
firefox.exe
POST
200
184.24.77.48:80
http://r10.o.lencr.org/
unknown
whitelisted
6932
firefox.exe
POST
200
184.24.77.54:80
http://r11.o.lencr.org/
unknown
whitelisted
6932
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6932
firefox.exe
POST
200
184.24.77.48:80
http://r10.o.lencr.org/
unknown
whitelisted
6932
firefox.exe
POST
200
184.24.77.54:80
http://r11.o.lencr.org/
unknown
whitelisted
6932
firefox.exe
POST
200
184.24.77.54:80
http://r10.o.lencr.org/
unknown
whitelisted
6932
firefox.exe
POST
200
184.24.77.48:80
http://r10.o.lencr.org/
unknown
whitelisted
6932
firefox.exe
POST
200
184.24.77.48:80
http://r10.o.lencr.org/
unknown
whitelisted
6932
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6068
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6068
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.176:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.bing.com
  • 104.126.37.176
  • 104.126.37.136
  • 104.126.37.178
  • 104.126.37.139
  • 104.126.37.154
  • 104.126.37.129
  • 104.126.37.145
  • 2.23.209.133
  • 2.23.209.187
  • 2.23.209.130
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.134
  • 20.190.160.22
  • 40.126.32.76
  • 40.126.32.68
  • 40.126.32.72
  • 40.126.32.138
  • 40.126.32.74
  • 20.190.159.64
  • 40.126.31.69
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.68
  • 20.190.159.73
  • 20.190.159.4
  • 40.126.31.71
whitelisted
go.microsoft.com
  • 184.30.17.189
  • 184.28.89.167
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
/Sn8ow/NoEscape.exe_Virus/releases/tag/1.0.0