download:

/Sn8ow/NoEscape.exe_Virus/releases/tag/1.0.0

Full analysis: https://app.any.run/tasks/7ae14f6f-ef8b-480d-82a3-e9ffd1decafc
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 02:54:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
noescape
wiper
stealer
Indicators:
MIME: text/html
File info: HTML document, Unicode text, UTF-8 text, with very long lines (1616)
MD5:

5E55818C782401D0D98DC2148AADFDD3

SHA1:

34112FED1A333B58F9F704509850FC1C1A9FD288

SHA256:

6EEEC0C2C466099F68BDF66931D6420D9D4D460C08F5F54E04E39949E40AB2AC

SSDEEP:

3072:Lqz7DznSaLhQHgANLEZbOh2nczkmNUNF+rtCKSV1PHMvpZNscSV1PHMvp1p4pOLj:tXsi4pOL/saqkPV9FemLtcIDSsmwJ9Fv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables the Shutdown in the Start menu

      • NoEscape.exe (PID: 4548)

    • Changes the login/logoff helper path in the registry

      • NoEscape.exe (PID: 4548)

    • NOESCAPE has been detected

      • NoEscape.exe (PID: 4548)

    • UAC/LUA settings modification

      • NoEscape.exe (PID: 4548)

    • Actions looks like stealing of personal data

      • msedge.exe (PID: 6132)
      • msedge.exe (PID: 6120)

  • SUSPICIOUS

    • Application launched itself

      • NoEscape.exe (PID: 5252)
      • msedge.exe (PID: 6120)
      • msedge.exe (PID: 6132)

    • Reads security settings of Internet Explorer

      • NoEscape.exe (PID: 5252)
      • ShellExperienceHost.exe (PID: 6784)

    • Executable content was dropped or overwritten

      • NoEscape.exe (PID: 4548)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4404)

  • INFO

    • The sample compiled with english language support

      • firefox.exe (PID: 6932)
      • NoEscape.exe (PID: 4548)

    • Application launched itself

      • firefox.exe (PID: 6932)
      • firefox.exe (PID: 6912)

    • The process uses the downloaded file

      • firefox.exe (PID: 6932)
      • NoEscape.exe (PID: 4548)
      • NoEscape.exe (PID: 5252)

    • Checks supported languages

      • NoEscape.exe (PID: 5252)
      • NoEscape.exe (PID: 4548)
      • ShellExperienceHost.exe (PID: 6784)
      • PLUGScheduler.exe (PID: 4404)
      • msedge.exe (PID: 6132)
      • msedge.exe (PID: 6120)

    • Reads the computer name

      • NoEscape.exe (PID: 5252)
      • NoEscape.exe (PID: 4548)
      • ShellExperienceHost.exe (PID: 6784)
      • PLUGScheduler.exe (PID: 4404)
      • msedge.exe (PID: 6120)
      • msedge.exe (PID: 6132)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 6932)

    • Process checks computer location settings

      • NoEscape.exe (PID: 5252)
      • msedge.exe (PID: 6120)
      • msedge.exe (PID: 6132)

    • Creates files or folders in the user directory

      • NoEscape.exe (PID: 4548)
      • msedge.exe (PID: 6132)
      • msedge.exe (PID: 6120)

    • Manual execution by a user

      • ctfmon.exe (PID: 4544)
      • firefox.exe (PID: 6912)

    • Sends debugging messages

      • ShellExperienceHost.exe (PID: 6784)

    • Creates files in the program directory

      • NoEscape.exe (PID: 4548)
      • PLUGScheduler.exe (PID: 4404)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 6220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

EXIF

HTML

Title: Release Original Version · Sn8ow/NoEscape.exe_Virus · GitHub
RoutePattern: /:user_id/:repository/releases/tag/*name
RouteController: releases
RouteAction: show
CurrentCatalogServiceHash: 6f13f31f798a93a6b08d3be0727120e9af35851fac7b9c620d6cf9a70068c136
RequestId: F954:1A3A14:FDB46E:104FCD5:675CF355
HtmlSafeNonce: 5fe2318f284881f11b8dc03b14d07cae132a186ccacaa598e0fcfbd68030abbf
VisitorPayload: eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJGOTU0OjFBM0ExNDpGREI0NkU6MTA0RkNENTo2NzVDRjM1NSIsInZpc2l0b3JfaWQiOiI2MDAwODk4MDg4MzE1NDUwMTk3IiwicmVnaW9uX2VkZ2UiOiJmcmEiLCJyZWdpb25fcmVuZGVyIjoiZnJhIn0=
VisitorHmac: 91115fca90cb6858e2f243615ce027ce3d900af7e53b3a2dc46478c5ea21e2ff
HovercardSubjectTag: repository:381404847
GithubKeyboardShortcuts: repository,copilot
GoogleSiteVerification: Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
OctolyticsUrl: https://collector.github.com/github/collect
AnalyticsLocation: /<user-name>/<repo-name>/releases/show
UserLogin: -
Viewport: width=device-width
Description: Free original NoEscape.exe virus download ! Contribute to Sn8ow/NoEscape.exe_Virus development by creating an account on GitHub.
AppleItunesApp: app-id=1477376905, app-argument=https://github.com/Sn8ow/NoEscape.exe_Virus/releases/tag/1.0.0
TwitterImage: https://opengraph.githubassets.com/9273c2a963965e309b46a00d8af720a3d81dcc59737d783031d47fd6e64733f9/Sn8ow/NoEscape.exe_Virus/releases/tag/1.0.0
TwitterSite: @github
TwitterCard: summary_large_image
TwitterTitle: Release Original Version · Sn8ow/NoEscape.exe_Virus
TwitterDescription: Latest Version
TwitterCreator: 8owSn
Hostname: github.com
ExpectedHostname: github.com
HTTPEquivXPjaxVersion: 61af95f89d168f5aee1892142400788d24e0c89e85b4d3e75bac31e4bec0c49c
HTTPEquivXPjaxCspVersion: ace39c3b6632770952207593607e6e0be0db363435a8b877b1f96abe6430f345
HTTPEquivXPjaxCssVersion: 47c04af5bd21cb61932edc9a6a9416d3e507aeef479f7c520e66545ab5133438
HTTPEquivXPjaxJsVersion: d0c649996199db3d67ce2e127c5f7a5599550fcae7c412368a81d3d19739e75b
TurboCacheControl: no-preview
GoImport: github.com/Sn8ow/NoEscape.exe_Virus git https://github.com/Sn8ow/NoEscape.exe_Virus.git
OctolyticsDimensionUser_id: 80784394
OctolyticsDimensionUser_login: Sn8ow
OctolyticsDimensionRepository_id: 381404847
OctolyticsDimensionRepository_nwo: Sn8ow/NoEscape.exe_Virus
OctolyticsDimensionRepository_public:
OctolyticsDimensionRepository_is_fork: -
OctolyticsDimensionRepository_network_root_id: 381404847
OctolyticsDimensionRepository_network_root_nwo: Sn8ow/NoEscape.exe_Virus
TurboBodyClasses: logged-out env-production page-responsive
BrowserStatsUrl: https://api.github.com/_private/browser/stats
BrowserErrorsUrl: https://api.github.com/_private/browser/errors
ThemeColor: #1e2327
ColorScheme: light dark
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
277
Monitored processes
26
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start openwith.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs noescape.exe no specs #NOESCAPE noescape.exe shellexperiencehost.exe no specs plugscheduler.exe no specs ctfmon.exe no specs msedge.exe msedge.exe msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1140"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4800 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4904 -prefMapHandle 4680 -prefsLen 36588 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c029678-9fd9-4153-af7f-a2d03ce06f43} 6932 "\\.\pipe\gecko-crash-server-pipe.6932" 1ebfbc75110 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
2136"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2788 -childID 1 -isForBrowser -prefsHandle 2284 -prefMapHandle 2784 -prefsLen 31447 -prefMapSize 244583 -jsInitHandle 1536 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e8e1b4c-7901-4d58-a3b9-504e0b255ca6} 6932 "\\.\pipe\gecko-crash-server-pipe.6932" 1ebf7c43f50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
2800"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6408 -parentBuildID 20240213221259 -sandboxingKind 1 -prefsHandle 6332 -prefMapHandle 6336 -prefsLen 40122 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fbbb15b-3e0a-4a06-97dd-c9aa3f985a6c} 6932 "\\.\pipe\gecko-crash-server-pipe.6932" 1ebfb446910 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
3208"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5868 -childID 6 -isForBrowser -prefsHandle 5288 -prefMapHandle 5724 -prefsLen 32214 -prefMapSize 244583 -jsInitHandle 1536 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {341fc437-4126-45b6-a315-fca650ab22a3} 6932 "\\.\pipe\gecko-crash-server-pipe.6932" 1ebfc2a7150 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
3544"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6224 -childID 8 -isForBrowser -prefsHandle 6228 -prefMapHandle 6248 -prefsLen 32256 -prefMapSize 244583 -jsInitHandle 1536 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b5c130b-9526-4444-b83a-b0c1c1b2997c} 6932 "\\.\pipe\gecko-crash-server-pipe.6932" 1ebfb377bd0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll
4076"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x260,0x264,0x268,0x25c,0x274,0x7ff84e745fd8,0x7ff84e745fe4,0x7ff84e745ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4244"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4312 -childID 2 -isForBrowser -prefsHandle 4300 -prefMapHandle 4296 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1536 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2a98b55-dabc-4773-b1cf-43f4507e83d0} 6932 "\\.\pipe\gecko-crash-server-pipe.6932" 1ebfa127d90 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
4404"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
4544"ctfmon.exe"C:\Windows\System32\ctfmon.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CTF Loader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4548"C:\Users\admin\Downloads\NoEscape.exe" C:\Users\admin\Downloads\NoEscape.exe
NoEscape.exe
User:
admin
Company:
Endermanch
Integrity Level:
HIGH
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
Modules
Images
c:\users\admin\downloads\noescape.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
28 967
Read events
28 940
Write events
26
Delete events
1

Modification events

(PID) Process:(6932) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(6932) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:AutoAdminLogon
Value:
0
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:DisableCAD
Value:
1
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:shutdownwithoutlogon
Value:
0
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:UseDefaultTile
Value:
1
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:DisableLogonBackgroundImage
Value:
1
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Userinit
Value:
C:\Windows\system32\userinit.exe,C:\WINDOWS\winnt32.exe
(PID) Process:(4548) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layout
Operation:writeName:Scancode Map
Value:
0000000000000000710000000000010000003B0000003C0000003D0000003E0000003F0000004000000041000000420000004300000044000000570000005800000037E000004600000052E0000047E0000049E0000051E000004FE0000053E0000048E000004BE0000050E000004DE00000520000005300000051000000500000004F0000004B0000004C0000004D0000004E0000004900000048000000470000004500000035E00000370000004A0000002900000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000F0000001000000011000000130000001600000017000000190000001A0000001B0000002B000000280000002700000026000000250000002400000022000000210000003A0000002A0000001D0000005BE00000380000002C0000002D0000002E0000002F0000003000000032000000330000003400000035000000360000001DE000005DE000005CE0000038E000005900000065E0000021E000006BE000005EE000005FE000006AE0000069E0000068E0000067E0000032E000006CE000006DE0000066E0000020E000002EE000002CE0000030E0000019E0000010E0000024E0000022E000000000
(PID) Process:(4548) NoEscape.exeKey:HKEY_CURRENT_USER\Control Panel\Mouse
Operation:writeName:SwapMouseButtons
Value:
1
Executable files
5
Suspicious files
453
Text files
47
Unknown types
1

Dropped files

PID
Process
Filename
Type
6932firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:22D7AF4E60FE5B1E752AA7B0BFCE808B
SHA256:E4CB0461BE3FC0352BE353A4F61E83CFDD8356262FC097DBCD01AC6BE26BFFD2
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6932firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
6932firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
6932firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.jstext
MD5:22D7AF4E60FE5B1E752AA7B0BFCE808B
SHA256:E4CB0461BE3FC0352BE353A4F61E83CFDD8356262FC097DBCD01AC6BE26BFFD2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
171
DNS requests
200
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6068
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6068
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6932
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
6932
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6932
firefox.exe
POST
200
184.24.77.54:80
http://r11.o.lencr.org/
unknown
whitelisted
6932
firefox.exe
POST
200
142.250.186.67:80
http://o.pki.goog/s/wr3/yvU
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6068
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6068
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.176:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.bing.com
  • 104.126.37.176
  • 104.126.37.136
  • 104.126.37.178
  • 104.126.37.139
  • 104.126.37.154
  • 104.126.37.129
  • 104.126.37.145
  • 2.23.209.133
  • 2.23.209.187
  • 2.23.209.130
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.134
  • 20.190.160.22
  • 40.126.32.76
  • 40.126.32.68
  • 40.126.32.72
  • 40.126.32.138
  • 40.126.32.74
  • 20.190.159.64
  • 40.126.31.69
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.68
  • 20.190.159.73
  • 20.190.159.4
  • 40.126.31.71
whitelisted
go.microsoft.com
  • 184.30.17.189
  • 184.28.89.167
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/Sn8ow/NoEscape.exe_Virus/releases/tag/1.0.0