Malware analysis NoEscape8.0.exe Malicious activity | ANY.RUN

Add for printing

File name:	NoEscape8.0.exe
Full analysis:	https://app.any.run/tasks/eb620ea4-0e96-4175-9a74-91c4625faee9
Verdict:	Malicious activity
Analysis date:	March 24, 2025, 16:40:14
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto generic
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	1C18F75DAFD667FB5559CF9B7CB5868E
SHA1:	DEAB3392CF25EBC52F15ECDCF7E4187DCAEC81F7
SHA256:	BF3C03FF11E6610BBF806084EC2D58CD5AACB87E52CBF965A789FA74584DE3A5
SSDEEP:	98304:PAY5A+8eV0TIhVoCOAbAz533nG34GWAMpSUZQAxxMLLM0FQjgdz8ONG6H7sO6SHY:ZM8xHZM1jM+9ZfmZ7fVj2VyzMc5u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: off

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- GENERIC has been found (auto)
  - NoEscape8.0.exe (PID: 7352)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - NoEscape8.0.exe (PID: 7352)
- Executable content was dropped or overwritten
  - NoEscape8.0.exe (PID: 7352)
- Executing commands from a ".bat" file
  - NoEscape8.0.exe (PID: 7352)
- Starts CMD.EXE for commands execution
  - NoEscape8.0.exe (PID: 7352)
INFO
- Reads the computer name
  - NoEscape8.0.exe (PID: 7352)
- Process checks computer location settings
  - NoEscape8.0.exe (PID: 7352)
- Checks supported languages
  - NoEscape8.0.exe (PID: 7352)
- The sample compiled with english language support
  - NoEscape8.0.exe (PID: 7352)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:06:11 09:16:47+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	201728
InitializedDataSize:	75776
UninitializedDataSize:	-
EntryPoint:	0x1eef0
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

131

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

7252

"C:\Users\admin\AppData\Local\Temp\NoEscape8.0.exe"

C:\Users\admin\AppData\Local\Temp\NoEscape8.0.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\noescape8.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

7352

"C:\Users\admin\AppData\Local\Temp\NoEscape8.0.exe"

C:\Users\admin\AppData\Local\Temp\NoEscape8.0.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\noescape8.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll

7544

C:\WINDOWS\system32\cmd.exe /c ""C:\yourpc\skid.bat" "

C:\Windows\SysWOW64\cmd.exe

—

NoEscape8.0.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

3221225786

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

7552

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

294

Read events

294

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7352	NoEscape8.0.exe	C:\yourpc\f.vbs		text
		MD5:A4ED5CEA72CB85933B97EF6FD4B95A27	SHA256:E41A70375F153C9B4600D178CF43C4411583454AF32C0D74FAB05FB950D581E0
7352	NoEscape8.0.exe	C:\yourpc\ColorA.exe		executable
		MD5:2990BD81B18D93ACDA8EDE7B79F71B31	SHA256:781F67D14A5EE5CF6508874DC47E4EC6C60B895C9893112272AEC44CCDCAFC51
7352	NoEscape8.0.exe	C:\yourpc\es.vbs		text
		MD5:9C2D6662913494F5F7ECC95564F87132	SHA256:095F01222915F9F8D71EDB1593D70B7336C89AED4B42B14DC8E5CFF482AB8D3B
7352	NoEscape8.0.exe	C:\yourpc\GlitchB.exe		executable
		MD5:F529213E9A27A9A4E3FA344CFF5E70E3	SHA256:8B3B3B3B2CCF787A7CA4672E717134D3BDF52E7C43D29737DB2BF8B1E820C0D1
7352	NoEscape8.0.exe	C:\yourpc\melter.exe		executable
		MD5:D9BAAC374CC96E41C9F86C669E53F61C	SHA256:A1D883577BCB6C4F9DE47B06FE97C370C09BDDFFB6569B6CF93576371BDBC412
7352	NoEscape8.0.exe	C:\yourpc\noescape.vbs		text
		MD5:34064A9B19AE04297444875FA3C2203A	SHA256:485D21B6285EBE933AF00BD4DE92A6660FBEDDF65D556A4C291B0DBD4CB854F0
7352	NoEscape8.0.exe	C:\yourpc\First2.exe		executable
		MD5:EAD502D394DE29812FD9036AEE094F76	SHA256:5B6359FC7B67CF6883D7BEE2F3FAD9A130572124EACFC849710104B30B5359D9
7352	NoEscape8.0.exe	C:\yourpc\kill.bat		text
		MD5:A97C34F83A7A745BAE0D82AC91FF87F9	SHA256:6A714034D1673AEA4392D5C83A1B290BACD80BAC7B94EE5BE52F20E140489670
7352	NoEscape8.0.exe	C:\yourpc\main.bat		text
		MD5:D381FDBE8F6A130E25247FA1E029805B	SHA256:9ECA23B0358E5507734EF7A2247C310C7BE23C85776913C49947AFB41C885273
7352	NoEscape8.0.exe	C:\yourpc\Magix.exe		executable
		MD5:026992ED7C38FAE57E8839A6C0D883C8	SHA256:68CB1FE2EE7C3F69FE2D508D117B502ED19337BD332E722605E491A823F89645

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

NoEscape8.0.exe

1C18F75DAFD667FB5559CF9B7CB5868E

DEAB3392CF25EBC52F15ECDCF7E4187DCAEC81F7

BF3C03FF11E6610BBF806084EC2D58CD5AACB87E52CBF965A789FA74584DE3A5

98304:PAY5A+8eV0TIhVoCOAbAz533nG34GWAMpSUZQAxxMLLM0FQjgdz8ONG6H7sO6SHY:ZM8xHZM1jM+9ZfmZ7fVj2VyzMc5u

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GENERIC has been found (auto)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

INFO

Reads the computer name

Process checks computer location settings

Checks supported languages

The sample compiled with english language support

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings