File name:

NoEscape.exe

Full analysis: https://app.any.run/tasks/2f2dd4a5-a0ad-4081-8a8c-1f623d9e94b7
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 27, 2024, 08:14:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
MD5:

989AE3D195203B323AA2B3ADF04E9833

SHA1:

31A45521BC672ABCF64E50284CA5D4E6B3687DC8

SHA256:

D30D7676A3B4C91B77D403F81748EBF6B8824749DB5F860E114A8A204BCA5B8F

SSDEEP:

12288:85J5X487qJUtcWfkVJ6g5s/cD01oKHQyis2AePsr8nP712TBJ:s487pcZEgwcDpg1L2tbPR2tJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • NoEscape.exe (PID: 2340)
      • NoEscape.exe (PID: 6420)

    • Disables the Shutdown in the Start menu

      • NoEscape.exe (PID: 6420)

    • UAC/LUA settings modification

      • NoEscape.exe (PID: 6420)

    • Changes the login/logoff helper path in the registry

      • NoEscape.exe (PID: 6420)

    • Actions looks like stealing of personal data

      • msedge.exe (PID: 2968)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • NoEscape.exe (PID: 2340)

    • Reads security settings of Internet Explorer

      • NoEscape.exe (PID: 2340)
      • ShellExperienceHost.exe (PID: 6616)

    • Application launched itself

      • NoEscape.exe (PID: 2340)
      • msedge.exe (PID: 2968)

    • Executable content was dropped or overwritten

      • NoEscape.exe (PID: 6420)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4568)

    • Likely accesses (executes) a file from the Public directory

      • notepad++.exe (PID: 4168)

  • INFO

    • Process checks computer location settings

      • NoEscape.exe (PID: 2340)
      • msedge.exe (PID: 2968)

    • Reads the computer name

      • NoEscape.exe (PID: 2340)
      • NoEscape.exe (PID: 6420)
      • ShellExperienceHost.exe (PID: 6616)
      • PLUGScheduler.exe (PID: 4568)
      • msedge.exe (PID: 2968)

    • Checks supported languages

      • NoEscape.exe (PID: 2340)
      • NoEscape.exe (PID: 6420)
      • ShellExperienceHost.exe (PID: 6616)
      • PLUGScheduler.exe (PID: 4568)
      • msedge.exe (PID: 2968)

    • Checks proxy server information

      • slui.exe (PID: 3336)

    • Reads the software policy settings

      • slui.exe (PID: 3336)

    • Creates files in the program directory

      • NoEscape.exe (PID: 6420)
      • PLUGScheduler.exe (PID: 4568)

    • Creates files or folders in the user directory

      • NoEscape.exe (PID: 6420)
      • msedge.exe (PID: 2968)

    • Manual execution by a user

      • notepad++.exe (PID: 4168)

    • Reads Environment values

      • msedge.exe (PID: 2968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:11:29 09:09:24+00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 14.28
CodeSize: 15360
InitializedDataSize: 1832960
UninitializedDataSize: -
EntryPoint: 0x1c640e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.6.6.6
ProductVersionNumber: 6.6.6.6
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Endermanch
FileDescription: Windows Customization Tool
FileVersion: 6.6.6.6
InternalName: WinCustomize.exe
LegalCopyright: Copyright (C) 2020
OriginalFileName: WinCustomize.exe
ProductName: Customization Tool
ProductVersion: 6.6.6.6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
261
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start noescape.exe no specs noescape.exe slui.exe shellexperiencehost.exe no specs plugscheduler.exe no specs notepad++.exe no specs msedge.exe msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2340"C:\Users\admin\Desktop\NoEscape.exe" C:\Users\admin\Desktop\NoEscape.exeexplorer.exe
User:
admin
Company:
Endermanch
Integrity Level:
MEDIUM
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
Modules
Images
c:\users\admin\desktop\noescape.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2604"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x290,0x294,0x298,0x288,0x2a0,0x7ff990ce5fd8,0x7ff990ce5fe4,0x7ff990ce5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2968e" --default-search-provider=? --out-pipe-name=MSEdgeDefaultcd156917hc2cfh4a4bha3d3hcf567789319cC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
winnt32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3336C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
1073807364
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4168"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Public\Desktop\ᄎ✭᱉᝹⑚ᔚ″ᤪἍ⃽ᗵᬄ⊡ᇚເ྇‟ᲄ᭻ࢂᤅݬᴥᰥٗ♻ᮯג੨"C:\Program Files\Notepad++\notepad++.exeexplorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
HIGH
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
4568"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
6420"C:\Users\admin\Desktop\NoEscape.exe" C:\Users\admin\Desktop\NoEscape.exe
NoEscape.exe
User:
admin
Company:
Endermanch
Integrity Level:
HIGH
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
Modules
Images
c:\users\admin\desktop\noescape.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6616"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\dxgi.dll
Total events
6 739
Read events
6 710
Write events
29
Delete events
0

Modification events

(PID) Process:(2340) NoEscape.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2340) NoEscape.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2340) NoEscape.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2340) NoEscape.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6420) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:AutoAdminLogon
Value:
0
(PID) Process:(6420) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:DisableCAD
Value:
1
(PID) Process:(6420) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:shutdownwithoutlogon
Value:
0
(PID) Process:(6420) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:UseDefaultTile
Value:
1
(PID) Process:(6420) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:DisableLogonBackgroundImage
Value:
1
(PID) Process:(6420) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layout
Operation:writeName:Scancode Map
Value:
0000000000000000710000000000010000003B0000003C0000003D0000003E0000003F0000004000000041000000420000004300000044000000570000005800000037E000004600000052E0000047E0000049E0000051E000004FE0000053E0000048E000004BE0000050E000004DE00000520000005300000051000000500000004F0000004B0000004C0000004D0000004E0000004900000048000000470000004500000035E00000370000004A0000002900000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000F0000001000000011000000130000001600000017000000190000001A0000001B0000002B000000280000002700000026000000250000002400000022000000210000003A0000002A0000001D0000005BE00000380000002C0000002D0000002E0000002F0000003000000032000000330000003400000035000000360000001DE000005DE000005CE0000038E000005900000065E0000021E000006BE000005EE000005FE000006AE0000069E0000068E0000067E0000032E000006CE000006DE0000066E0000020E000002EE000002CE0000030E0000019E0000010E0000024E0000022E000000000
Executable files
1
Suspicious files
184
Text files
11
Unknown types
15

Dropped files

PID
Process
Filename
Type
6420NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user.bmpimage
MD5:2AB3698B005B421349512142ED6B965E
SHA256:150E95DA6C1E09511241130DA0E376878F5E24E21C2A9DFE7FBCC1022660E29F
6420NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user-48.pngimage
MD5:C7572C5706CA8D652D6B87787AE7F5B2
SHA256:37C63EE5D26FB77F8E697FAEC3891673E40C449BF8411CFF806D852AE7506ADA
6420NoEscape.exeC:\Users\admin\AppData\Local\noescape.pngimage
MD5:9E655CFD3D501F1ED01D6A2E0DB0E744
SHA256:CF7B5334E06A13501821834CD1AEDB7C3306A543F7D8EC03D1F20BFAF9BED613
6420NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user.pngimage
MD5:96F17C361A25164E71716D5BB56CB3D8
SHA256:1025314EF977B5D07041B8B73E4ADBEA779E5E06096C3C66BD1F06FBBBA7FD1C
6420NoEscape.exeC:\Users\Public\Desktop\ḔἿ⽎⦍⊰ᇼ▀⣡⩒❗⫅▮᳙ᅡ୐ⰟⱭग⫃๎⺤ᐅ✧ࡽ✻ⵛॅ≯⏊⏷⫀᏿binary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
6420NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user-40.pngimage
MD5:D8E22EF10BD7AB65F56220D2845D6A94
SHA256:B115A4548AD8E9C7CADB707A0FF79FCD55D9D900EEFA7A922CA50C85C4D3CA1D
6420NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user-192.pngimage
MD5:6BF949C62C5E9D07593BA5B604E36773
SHA256:E54EA8405024F1FA72E470417059BDD186B0A3836F7D5E1C2C95C6003383912F
6420NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user-32.pngimage
MD5:5D572D54E293ACD90D5B8AD6036333DA
SHA256:4810DC6C101937DDE12D4581DE81E608EA144761D1307779DC6A256872330EDE
6420NoEscape.exeC:\Users\Public\Desktop\⛂ᓺݱ⣼೵Ⳍ⿅ཇぁ࡬◊୳༜ቝ⥇Ⰸۀのbinary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
6420NoEscape.exeC:\Users\Public\Desktop\⏟‾␃⻞ཱᏹṏᩯᮠ⛱⟷ݦ᱘ᱚ஌ワ⋔ᇛ⡛ᑡᴢん‛ᑜᤇbinary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
48
DNS requests
14
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
184.86.251.4:443
https://r.bing.com/rb/4N/jnc,nj/Z9JIsl6sMZa767o_cFEKG-WlDVY.js?bu=Fo8szyr8Ad8q4SrjKuUqiiuVLN0r4BH3K_0rmSz8AfwB_ie8K94R1RHUK8Er&or=w
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
GET
200
184.86.251.10:443
https://r.bing.com/rp/-UAIppANYxiGpRWJy2NDph4qOEw.gz.js
unknown
s
20.3 Kb
POST
200
13.70.79.200:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
GET
200
52.109.89.18:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.16026&crev=3
unknown
xml
171 Kb
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
GET
200
184.86.251.19:443
https://www.bing.com/th?id=ODSWG.60d4f6f4-d64d-40f4-a05f-e19f4f6f2b60&pid=dsb
unknown
image
125 Kb
POST
200
13.70.79.200:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
GET
200
52.113.194.132:443
https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.16026.20140/Production/CC?&Clientid=%7b48BA7FDF-353C-4FE5-8D8F-9E31911A3891%7d&Application=officeclicktorun&Platform=win32&Version=16.0.16026.20140&MsoVersion=16.0.16026.20140&ProcessName=officeclicktorun.exe&Audience=Production&Build=ship&Architecture=x64&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b658E3A6E-464C-4228-B419-6A546B593367%7d&LabMachine=false
unknown
text
334 Kb
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
184.86.251.24:443
www.bing.com
Akamai International B.V.
DE
unknown
1800
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5812
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4128
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
1620
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 184.86.251.24
  • 184.86.251.28
  • 184.86.251.29
  • 184.86.251.22
  • 184.86.251.30
  • 184.86.251.25
  • 184.86.251.4
  • 184.86.251.31
  • 184.86.251.7
  • 2.23.209.179
  • 2.23.209.135
  • 2.23.209.133
  • 2.23.209.182
  • 2.23.209.150
  • 2.23.209.177
  • 2.23.209.181
  • 2.23.209.158
  • 2.23.209.149
whitelisted
google.com
  • 142.250.186.174
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
self.events.data.microsoft.com
  • 40.79.150.121
  • 20.189.173.28
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
r.bing.com
  • 2.23.209.149
  • 2.23.209.177
  • 2.23.209.181
  • 2.23.209.158
  • 2.23.209.182
  • 2.23.209.150
  • 2.23.209.179
  • 2.23.209.135
  • 2.23.209.133
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
th.bing.com
  • 2.23.209.193
  • 2.23.209.187
  • 2.23.209.185
  • 2.23.209.182
  • 2.23.209.189
  • 2.23.209.158
  • 2.23.209.179
  • 2.23.209.177
  • 2.23.209.181
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NoEscape.exe