Malware analysis NoEscape8.0.exe Malicious activity | ANY.RUN

Add for printing

File name:	NoEscape8.0.exe
Full analysis:	https://app.any.run/tasks/eb620ea4-0e96-4175-9a74-91c4625faee9
Verdict:	Malicious activity
Analysis date:	March 24, 2025, 16:40:14
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto generic
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	1C18F75DAFD667FB5559CF9B7CB5868E
SHA1:	DEAB3392CF25EBC52F15ECDCF7E4187DCAEC81F7
SHA256:	BF3C03FF11E6610BBF806084EC2D58CD5AACB87E52CBF965A789FA74584DE3A5
SSDEEP:	98304:PAY5A+8eV0TIhVoCOAbAz533nG34GWAMpSUZQAxxMLLM0FQjgdz8ONG6H7sO6SHY:ZM8xHZM1jM+9ZfmZ7fVj2VyzMc5u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: off

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- GENERIC has been found (auto)
  - NoEscape8.0.exe (PID: 7352)
SUSPICIOUS
- Starts CMD.EXE for commands execution
  - NoEscape8.0.exe (PID: 7352)
- Executing commands from a ".bat" file
  - NoEscape8.0.exe (PID: 7352)
- Executable content was dropped or overwritten
  - NoEscape8.0.exe (PID: 7352)
- Reads security settings of Internet Explorer
  - NoEscape8.0.exe (PID: 7352)
INFO
- Reads the computer name
  - NoEscape8.0.exe (PID: 7352)
- Checks supported languages
  - NoEscape8.0.exe (PID: 7352)
- The sample compiled with english language support
  - NoEscape8.0.exe (PID: 7352)
- Process checks computer location settings
  - NoEscape8.0.exe (PID: 7352)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:06:11 09:16:47+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	201728
InitializedDataSize:	75776
UninitializedDataSize:	-
EntryPoint:	0x1eef0
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

131

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

7252

"C:\Users\admin\AppData\Local\Temp\NoEscape8.0.exe"

C:\Users\admin\AppData\Local\Temp\NoEscape8.0.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\noescape8.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

7352

"C:\Users\admin\AppData\Local\Temp\NoEscape8.0.exe"

C:\Users\admin\AppData\Local\Temp\NoEscape8.0.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\noescape8.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll

7544

C:\WINDOWS\system32\cmd.exe /c ""C:\yourpc\skid.bat" "

C:\Windows\SysWOW64\cmd.exe

—

NoEscape8.0.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

3221225786

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

7552

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

294

Read events

294

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7352	NoEscape8.0.exe	C:\yourpc\f.vbs		text
		MD5:A4ED5CEA72CB85933B97EF6FD4B95A27	SHA256:E41A70375F153C9B4600D178CF43C4411583454AF32C0D74FAB05FB950D581E0
7352	NoEscape8.0.exe	C:\yourpc\GlitchB.exe		executable
		MD5:F529213E9A27A9A4E3FA344CFF5E70E3	SHA256:8B3B3B3B2CCF787A7CA4672E717134D3BDF52E7C43D29737DB2BF8B1E820C0D1
7352	NoEscape8.0.exe	C:\yourpc\HITBMAP.exe		executable
		MD5:E4BAC0A67D506DC8F3B844AF3A6FF444	SHA256:486A5094E820D3822B1ACA2DC1B2C4433415DDB09CD7932CF4D36C4C4AAEAE27
7352	NoEscape8.0.exe	C:\yourpc\InvCib.exe		executable
		MD5:8A2812F9FB4F068C8F9FCB435E22B4AD	SHA256:6BE9968731F31023AA84E7FE249E34AF773D87A693ECAD5580AF7B68882B6CF9
7352	NoEscape8.0.exe	C:\yourpc\gl.exe		executable
		MD5:754BE91171C29E0B2B35C209553C6E45	SHA256:595F476A34F1B6A481A89AEC8BAB0E323E7CCC7FBC53586982D26F681DDCC4A3
7352	NoEscape8.0.exe	C:\yourpc\INV.exe		executable
		MD5:E079C468C9CAED494623DBF95E9CE5E8	SHA256:8E217CE5670AC1021FDB6101372F9322F7FF82481ECD9BADC104FF542E46128C
7352	NoEscape8.0.exe	C:\yourpc\main.bat		text
		MD5:D381FDBE8F6A130E25247FA1E029805B	SHA256:9ECA23B0358E5507734EF7A2247C310C7BE23C85776913C49947AFB41C885273
7352	NoEscape8.0.exe	C:\yourpc\First2.exe		executable
		MD5:EAD502D394DE29812FD9036AEE094F76	SHA256:5B6359FC7B67CF6883D7BEE2F3FAD9A130572124EACFC849710104B30B5359D9
7352	NoEscape8.0.exe	C:\yourpc\es.vbs		text
		MD5:9C2D6662913494F5F7ECC95564F87132	SHA256:095F01222915F9F8D71EDB1593D70B7336C89AED4B42B14DC8E5CFF482AB8D3B
7352	NoEscape8.0.exe	C:\yourpc\kill.bat		text
		MD5:A97C34F83A7A745BAE0D82AC91FF87F9	SHA256:6A714034D1673AEA4392D5C83A1B290BACD80BAC7B94EE5BE52F20E140489670

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

NoEscape8.0.exe

1C18F75DAFD667FB5559CF9B7CB5868E

DEAB3392CF25EBC52F15ECDCF7E4187DCAEC81F7

BF3C03FF11E6610BBF806084EC2D58CD5AACB87E52CBF965A789FA74584DE3A5

98304:PAY5A+8eV0TIhVoCOAbAz533nG34GWAMpSUZQAxxMLLM0FQjgdz8ONG6H7sO6SHY:ZM8xHZM1jM+9ZfmZ7fVj2VyzMc5u

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GENERIC has been found (auto)

SUSPICIOUS

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

INFO

Reads the computer name

Checks supported languages

The sample compiled with english language support

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings