File name:

NoEscape.exe

Full analysis: https://app.any.run/tasks/a313ce97-9f28-45a4-b46b-ee7683b7798e
Verdict: Malicious activity
Analysis date: May 02, 2025, 13:11:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 3 sections
MD5:

989AE3D195203B323AA2B3ADF04E9833

SHA1:

31A45521BC672ABCF64E50284CA5D4E6B3687DC8

SHA256:

D30D7676A3B4C91B77D403F81748EBF6B8824749DB5F860E114A8A204BCA5B8F

SSDEEP:

12288:85J5X487qJUtcWfkVJ6g5s/cD01oKHQyis2AePsr8nP712TBJ:s487pcZEgwcDpg1L2tbPR2tJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • UAC/LUA settings modification

      • NoEscape.exe (PID: 7192)

    • Disables the Shutdown in the Start menu

      • NoEscape.exe (PID: 7192)

    • Changes the login/logoff helper path in the registry

      • NoEscape.exe (PID: 7192)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • NoEscape.exe (PID: 4180)
      • ShellExperienceHost.exe (PID: 8184)

    • Application launched itself

      • NoEscape.exe (PID: 4180)

    • There is functionality for taking screenshot (YARA)

      • NoEscape.exe (PID: 7192)

    • Executable content was dropped or overwritten

      • NoEscape.exe (PID: 7192)

  • INFO

    • Checks supported languages

      • NoEscape.exe (PID: 4180)
      • ShellExperienceHost.exe (PID: 8184)

    • The sample compiled with english language support

      • NoEscape.exe (PID: 4180)
      • NoEscape.exe (PID: 7192)

    • Reads the computer name

      • NoEscape.exe (PID: 4180)
      • ShellExperienceHost.exe (PID: 8184)

    • Process checks computer location settings

      • NoEscape.exe (PID: 4180)

    • Creates files or folders in the user directory

      • NoEscape.exe (PID: 7192)

    • Creates files in the program directory

      • NoEscape.exe (PID: 7192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:11:29 09:09:24+00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 14.28
CodeSize: 15360
InitializedDataSize: 1832960
UninitializedDataSize: -
EntryPoint: 0x1c640e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.6.6.6
ProductVersionNumber: 6.6.6.6
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Endermanch
FileDescription: Windows Customization Tool
FileVersion: 6.6.6.6
InternalName: WinCustomize.exe
LegalCopyright: Copyright (C) 2020
OriginalFileName: WinCustomize.exe
ProductName: Customization Tool
ProductVersion: 6.6.6.6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start noescape.exe no specs noescape.exe sppextcomobj.exe no specs slui.exe no specs shellexperiencehost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4180"C:\Users\admin\AppData\Local\Temp\NoEscape.exe" C:\Users\admin\AppData\Local\Temp\NoEscape.exeexplorer.exe
User:
admin
Company:
Endermanch
Integrity Level:
MEDIUM
Description:
Windows Customization Tool
Version:
6.6.6.6
Modules
Images
c:\users\admin\appdata\local\temp\noescape.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7192"C:\Users\admin\AppData\Local\Temp\NoEscape.exe" C:\Users\admin\AppData\Local\Temp\NoEscape.exe
NoEscape.exe
User:
admin
Company:
Endermanch
Integrity Level:
HIGH
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
Modules
Images
c:\windows\syswow64\samlib.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\sspicli.dll
7228C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
7260"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
8184"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
Total events
1 475
Read events
1 460
Write events
15
Delete events
0

Modification events

(PID) Process:(7192) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:AutoAdminLogon
Value:
0
(PID) Process:(7192) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:DisableCAD
Value:
1
(PID) Process:(7192) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:shutdownwithoutlogon
Value:
0
(PID) Process:(7192) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:UseDefaultTile
Value:
1
(PID) Process:(7192) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:DisableLogonBackgroundImage
Value:
1
(PID) Process:(7192) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:AutoRestartShell
Value:
0
(PID) Process:(7192) NoEscape.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:AutoColorization
Value:
1
(PID) Process:(7192) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layout
Operation:writeName:Scancode Map
Value:
0000000000000000710000000000010000003B0000003C0000003D0000003E0000003F0000004000000041000000420000004300000044000000570000005800000037E000004600000052E0000047E0000049E0000051E000004FE0000053E0000048E000004BE0000050E000004DE00000520000005300000051000000500000004F0000004B0000004C0000004D0000004E0000004900000048000000470000004500000035E00000370000004A0000002900000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000F0000001000000011000000130000001600000017000000190000001A0000001B0000002B000000280000002700000026000000250000002400000022000000210000003A0000002A0000001D0000005BE00000380000002C0000002D0000002E0000002F0000003000000032000000330000003400000035000000360000001DE000005DE000005CE0000038E000005900000065E0000021E000006BE000005EE000005FE000006AE0000069E0000068E0000067E0000032E000006CE000006DE0000066E0000020E000002EE000002CE0000030E0000019E0000010E0000024E0000022E000000000
(PID) Process:(7192) NoEscape.exeKey:HKEY_CURRENT_USER\Control Panel\Mouse
Operation:writeName:SwapMouseButtons
Value:
1
(PID) Process:(7192) NoEscape.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
Executable files
1
Suspicious files
166
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
7192NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user-192.pngimage
MD5:6BF949C62C5E9D07593BA5B604E36773
SHA256:E54EA8405024F1FA72E470417059BDD186B0A3836F7D5E1C2C95C6003383912F
7192NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user-48.pngimage
MD5:C7572C5706CA8D652D6B87787AE7F5B2
SHA256:37C63EE5D26FB77F8E697FAEC3891673E40C449BF8411CFF806D852AE7506ADA
7192NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user.bmpimage
MD5:2AB3698B005B421349512142ED6B965E
SHA256:150E95DA6C1E09511241130DA0E376878F5E24E21C2A9DFE7FBCC1022660E29F
7192NoEscape.exeC:\ProgramData\Microsoft\User Account Pictures\user.pngimage
MD5:96F17C361A25164E71716D5BB56CB3D8
SHA256:1025314EF977B5D07041B8B73E4ADBEA779E5E06096C3C66BD1F06FBBBA7FD1C
7192NoEscape.exeC:\Users\Public\Desktop\ᗋ⅒ᰕⵂ၇᷃৴ำ⌈᝜፯ᢻફ૥ਮ⡬Ⱓ⋄ⱱbinary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
7192NoEscape.exeC:\Users\Public\Desktop\ౡẍߊᶹ⦤⓫ᠩ੾ᬘᙧᖜ༸፪ঽⱲ☘binary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
7192NoEscape.exeC:\Users\Public\Desktop\ڊ⤠≊⁅❰ⵖ✀⚋៱⯱ᱱ⇽᫤஗෺ፓᡟ⮆⛶ؤ୙᱂╲❈⍃ሧbinary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
7192NoEscape.exeC:\Users\Public\Desktop\ܔᢀކઍᦇ௅ֺᣱᐏན◝ᪧཀྵ⏔⣆ヤ↋⍩␨གྷ཭⮉ໜ૥〆ᥧbinary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
7192NoEscape.exeC:\Users\Public\Desktop\ဧ⃈ᖖ⻡ᲄᲗ⺚݅ᑏ૖⥊ᜅ⡗⇓⑌࿜࿉ⷚッⰎ≏ᥑ჆⵹ᛠᄣᬘᚺbinary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
7192NoEscape.exeC:\Users\Public\Desktop\⍙।Ⴆἲ⅟⮰Ꮪࣨ׸ྂᛕ᜞〢⥏቟⼑ႛᶹᡂbinary
MD5:E49F0A8EFFA6380B4518A8064F6D240B
SHA256:8DBD06E9585C5A16181256C9951DBC65621DF66CEB22C8E3D2304477178BEE13
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
25
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7812
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7812
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7812
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.216.77.35
  • 23.216.77.22
  • 23.216.77.19
  • 23.216.77.42
  • 23.216.77.6
  • 23.216.77.25
  • 23.216.77.28
  • 23.216.77.30
  • 23.216.77.38
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.219.150.101
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.130
  • 20.190.159.73
  • 40.126.31.1
  • 20.190.159.130
  • 40.126.31.131
  • 20.190.159.4
  • 40.126.31.2
  • 40.126.31.128
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NoEscape.exe