File name:

NoEscape.exe

Full analysis: https://app.any.run/tasks/03949a2a-1aa1-45f3-a0d1-976e8a0caf27
Verdict: Malicious activity
Analysis date: May 26, 2025, 12:18:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
noescape
wiper
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 3 sections
MD5:

989AE3D195203B323AA2B3ADF04E9833

SHA1:

31A45521BC672ABCF64E50284CA5D4E6B3687DC8

SHA256:

D30D7676A3B4C91B77D403F81748EBF6B8824749DB5F860E114A8A204BCA5B8F

SSDEEP:

12288:85J5X487qJUtcWfkVJ6g5s/cD01oKHQyis2AePsr8nP712TBJ:s487pcZEgwcDpg1L2tbPR2tJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NOESCAPE has been detected

      • NoEscape.exe (PID: 1088)

    • Disables the Shutdown in the Start menu

      • NoEscape.exe (PID: 1088)

    • Changes the login/logoff helper path in the registry

      • NoEscape.exe (PID: 1088)

    • UAC/LUA settings modification

      • NoEscape.exe (PID: 1088)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • NoEscape.exe (PID: 5776)
      • ShellExperienceHost.exe (PID: 5008)

    • There is functionality for taking screenshot (YARA)

      • NoEscape.exe (PID: 1088)

    • Executable content was dropped or overwritten

      • NoEscape.exe (PID: 1088)

    • Application launched itself

      • NoEscape.exe (PID: 5776)

  • INFO

    • Creates files in the program directory

      • NoEscape.exe (PID: 1088)

    • Creates files or folders in the user directory

      • NoEscape.exe (PID: 1088)

    • Checks supported languages

      • NoEscape.exe (PID: 5776)
      • NoEscape.exe (PID: 1088)
      • ShellExperienceHost.exe (PID: 5008)

    • The sample compiled with english language support

      • NoEscape.exe (PID: 1088)
      • NoEscape.exe (PID: 5776)

    • Reads the computer name

      • NoEscape.exe (PID: 1088)
      • ShellExperienceHost.exe (PID: 5008)
      • NoEscape.exe (PID: 5776)

    • Process checks computer location settings

      • NoEscape.exe (PID: 5776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:11:29 09:09:24+00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 14.28
CodeSize: 15360
InitializedDataSize: 1832960
UninitializedDataSize: -
EntryPoint: 0x1c640e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.6.6.6
ProductVersionNumber: 6.6.6.6
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Endermanch
FileDescription: Windows Customization Tool
FileVersion: 6.6.6.6
InternalName: WinCustomize.exe
LegalCopyright: Copyright (C) 2020
OriginalFileName: WinCustomize.exe
ProductName: Customization Tool
ProductVersion: 6.6.6.6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start noescape.exe no specs #NOESCAPE noescape.exe sppextcomobj.exe no specs slui.exe no specs shellexperiencehost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1088"C:\Users\admin\Desktop\NoEscape.exe" C:\Users\admin\Desktop\NoEscape.exe
NoEscape.exe
User:
admin
Company:
Endermanch
Integrity Level:
HIGH
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
Modules
Images
c:\users\admin\desktop\noescape.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1168"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4696C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
5008"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\dxgi.dll
5776"C:\Users\admin\Desktop\NoEscape.exe" C:\Users\admin\Desktop\NoEscape.exeexplorer.exe
User:
admin
Company:
Endermanch
Integrity Level:
MEDIUM
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
Modules
Images
c:\users\admin\desktop\noescape.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
1 445
Read events
1 432
Write events
13
Delete events
0

Modification events

(PID) Process:(1088) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:AutoAdminLogon
Value:
0
(PID) Process:(1088) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:DisableCAD
Value:
1
(PID) Process:(1088) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:shutdownwithoutlogon
Value:
0
(PID) Process:(1088) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:UseDefaultTile
Value:
1
(PID) Process:(1088) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:DisableLogonBackgroundImage
Value:
1
(PID) Process:(1088) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layout
Operation:writeName:Scancode Map
Value:
0000000000000000710000000000010000003B0000003C0000003D0000003E0000003F0000004000000041000000420000004300000044000000570000005800000037E000004600000052E0000047E0000049E0000051E000004FE0000053E0000048E000004BE0000050E000004DE00000520000005300000051000000500000004F0000004B0000004C0000004D0000004E0000004900000048000000470000004500000035E00000370000004A0000002900000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000F0000001000000011000000130000001600000017000000190000001A0000001B0000002B000000280000002700000026000000250000002400000022000000210000003A0000002A0000001D0000005BE00000380000002C0000002D0000002E0000002F0000003000000032000000330000003400000035000000360000001DE000005DE000005CE0000038E000005900000065E0000021E000006BE000005EE000005FE000006AE0000069E0000068E0000067E0000032E000006CE000006DE0000066E0000020E000002EE000002CE0000030E0000019E0000010E0000024E0000022E000000000
(PID) Process:(1088) NoEscape.exeKey:HKEY_CURRENT_USER\Control Panel\Mouse
Operation:writeName:SwapMouseButtons
Value:
1
(PID) Process:(1088) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(1088) NoEscape.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
1
(PID) Process:(1088) NoEscape.exeKey:HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:DisableCMD
Value:
2
Executable files
1
Suspicious files
166
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
1088NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user-40.pngimage
MD5:D8E22EF10BD7AB65F56220D2845D6A94
SHA256:B115A4548AD8E9C7CADB707A0FF79FCD55D9D900EEFA7A922CA50C85C4D3CA1D
1088NoEscape.exeC:\Users\admin\AppData\Local\noescape.pngimage
MD5:9E655CFD3D501F1ED01D6A2E0DB0E744
SHA256:CF7B5334E06A13501821834CD1AEDB7C3306A543F7D8EC03D1F20BFAF9BED613
1088NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user-48.pngimage
MD5:C7572C5706CA8D652D6B87787AE7F5B2
SHA256:37C63EE5D26FB77F8E697FAEC3891673E40C449BF8411CFF806D852AE7506ADA
1088NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user-192.pngimage
MD5:6BF949C62C5E9D07593BA5B604E36773
SHA256:E54EA8405024F1FA72E470417059BDD186B0A3836F7D5E1C2C95C6003383912F
1088NoEscape.exeC:\Users\Public\Desktop\➠⎈ᄧ☮ົஈ০Ջឋ௼ၒقᦙᵢથᔑbinary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
1088NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user.pngimage
MD5:96F17C361A25164E71716D5BB56CB3D8
SHA256:1025314EF977B5D07041B8B73E4ADBEA779E5E06096C3C66BD1F06FBBBA7FD1C
1088NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user.bmpimage
MD5:2AB3698B005B421349512142ED6B965E
SHA256:150E95DA6C1E09511241130DA0E376878F5E24E21C2A9DFE7FBCC1022660E29F
1088NoEscape.exeC:\Users\Public\Desktop\᫫ᮿᡈଥᝤ⃪ⶪ⎧ᘁ໳໕⽓⡲ೄ๜☤ᅩமሉۋؓጂ⣕⾛ྡྷ⭧గ⛕⤤ᤫbinary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
1088NoEscape.exeC:\Users\Public\Desktop\ᙗᯑὫẵై⬥ᘑዘࢼ⧴⥠ᭁ⊓৪὾ᚰᘺ↰ֺঐ❅⾵ㄖፊℑڎᾋᎹbinary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
1088NoEscape.exeC:\Users\Public\Desktop\ᑍ↜⋢ମ฾ḡ↍⟄⭽ᙪ⿭ႇ᥻ᙺ࿃ダ₀Ꮴፂ⮝ᯄbinary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
12
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5796
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.66
  • 40.126.32.134
  • 40.126.32.76
  • 20.190.160.3
  • 20.190.160.65
  • 40.126.32.138
  • 20.190.160.4
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
self.events.data.microsoft.com
  • 13.69.239.72
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NoEscape.exe