URL:

https://github.com/bill-zhanxg/NoEscape.exe-Download/tree/main/NoEscape.exe

Full analysis: https://app.any.run/tasks/5ba4f1a7-b252-4b78-bb7b-7af505c59220
Verdict: Malicious activity
Analysis date: February 11, 2022, 21:00:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

E91F3FA192567EF5B7FB88847994A248

SHA1:

02B1D9F82766A1641880060F8C1DB94C9E94C6D9

SHA256:

DDAE4987DFC8FA45F03A363B64D3662A5DC9D71DCC70117A85A6BAB9CEE88525

SSDEEP:

3:N8tEd3IxLvrKgX2FEE8GQRKe+J:2uCNXX2zTQRK/J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NoEscape.exe (PID: 992)
      • NoEscape.exe (PID: 576)
      • NoEscape.exe (PID: 2996)
      • NoEscape.exe (PID: 1932)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3480)
      • iexplore.exe (PID: 2868)

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3480)

    • Checks supported languages

      • NoEscape.exe (PID: 992)
      • NoEscape.exe (PID: 576)
      • NoEscape.exe (PID: 2996)
      • NoEscape.exe (PID: 1932)

    • Application launched itself

      • NoEscape.exe (PID: 992)
      • NoEscape.exe (PID: 2996)

    • Reads the computer name

      • NoEscape.exe (PID: 992)
      • NoEscape.exe (PID: 2996)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 3480)
      • explorer.exe (PID: 2472)

    • Changes internet zones settings

      • iexplore.exe (PID: 2868)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 3480)

    • Application launched itself

      • iexplore.exe (PID: 2868)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3480)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3480)
      • iexplore.exe (PID: 2868)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2868)

    • Reads the computer name

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 3480)
      • explorer.exe (PID: 2472)

    • Creates files in the user directory

      • iexplore.exe (PID: 3480)
      • iexplore.exe (PID: 2868)

    • Reads the date of Windows installation

      • iexplore.exe (PID: 2868)

    • Manual execution by user

      • NoEscape.exe (PID: 2996)
      • explorer.exe (PID: 2472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe noescape.exe no specs noescape.exe explorer.exe no specs noescape.exe no specs noescape.exe

Process information

PID
CMD
Path
Indicators
Parent process
576"C:\Users\admin\Downloads\NoEscape.exe" C:\Users\admin\Downloads\NoEscape.exe
NoEscape.exe
User:
admin
Company:
Endermanch
Integrity Level:
HIGH
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
992"C:\Users\admin\Downloads\NoEscape.exe" C:\Users\admin\Downloads\NoEscape.exeiexplore.exe
User:
admin
Company:
Endermanch
Integrity Level:
MEDIUM
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
1932"C:\Users\admin\Downloads\NoEscape.exe" C:\Users\admin\Downloads\NoEscape.exe
NoEscape.exe
User:
admin
Company:
Endermanch
Integrity Level:
HIGH
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
2472"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2868"C:\Program Files\Internet Explorer\iexplore.exe" "https://github.com/bill-zhanxg/NoEscape.exe-Download/tree/main/NoEscape.exe"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2996"C:\Users\admin\Downloads\NoEscape.exe" C:\Users\admin\Downloads\NoEscape.exeExplorer.EXE
User:
admin
Company:
Endermanch
Integrity Level:
MEDIUM
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
3480"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2868 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
18
Text files
29
Unknown types
11

Dropped files

PID
Process
Filename
Type
2868iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:D0A4D21205FEA484DAD854E5789A734E
SHA256:4862AC7856C0BA49CFE8F7CA0AABB3BDB8465EE5CAEA7070CB40C9A4BC3773ED
2868iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:D176BC08834293918EF34E324C27DE29
SHA256:53DE3EE3B7D538DA2AFD8E4566B5645F36922B7ACE34553BACA67C84605E3F88
2868iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:0A6F5136E421C463308746D00E2908E0
SHA256:6B73EAA3350D56553DE3836CD3F56310A1FE1FD2599CC43C35CBEEAC6027B898
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3binary
MD5:E2579848AE483CBD25D5E8004107566B
SHA256:EB8148CC107B7279343862816311C2070907549F0F53679F41786E203395F472
3480iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\SK1VW16B.txttext
MD5:CFFE617A20265633AFC883BC2B8690B6
SHA256:7B22480A273E10FD6360C4BD7BB50FF398632DCD17767626FC0B3169C8B71F36
3480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\NoEscape[1].htmhtml
MD5:FD1390D94C9B6B215A23955A3099F0DF
SHA256:3EFD306A8B501091AD36ACAEAF293EE78416DC8DE4B6AB8B8F44B3E469622584
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04der
MD5:0D03EADD612C920A201A71C57C1F0032
SHA256:FF93B51BD0872471621F45992DF6D39ADCBF563AF4DEA46BA8C58744C1DE8969
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1der
MD5:190F3238525313C58219033A73520F4B
SHA256:530442661C6CF9092F60D8BE9F3C59D6AA8D300A13EE5B6346C0DEB766F53728
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1binary
MD5:1531A9DB8B2DEA97A76C171BE39F5450
SHA256:09DF481741F09C7E60BCCB8A53BBDE1405BFA6624329E48DF3E69470397F17FF
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:6CF039E28C987CBED7BDC7A93E1B3EB1
SHA256:4705F51100325180AE6493D4F46C52DE6F040FBEE7EA95E3DFCB8C1C78C21D65
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
27
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3480
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTGMlruL6P9M9B3if1rTM7wyj%2FQKQQUUGGmoNI1xBEqII0fD6xC8M0pz0sCEA6L83cNktGW8Lth%2BTxBZr4%3D
US
der
279 b
whitelisted
3480
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAZnA1u7FP1jr8DWqFNO%2FhY%3D
US
der
471 b
whitelisted
2868
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3480
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
3480
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
2868
iexplore.exe
GET
200
8.241.9.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a55319b5e67b1851
US
compressed
4.70 Kb
whitelisted
2868
iexplore.exe
GET
200
8.241.9.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4a254c5d343e8325
US
compressed
4.70 Kb
whitelisted
2868
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2868
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2868
iexplore.exe
8.241.9.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
2868
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3480
iexplore.exe
185.199.108.154:443
github.githubassets.com
GitHub, Inc.
NL
suspicious
3480
iexplore.exe
185.199.108.133:443
avatars.githubusercontent.com
GitHub, Inc.
NL
malicious
2868
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2868
iexplore.exe
185.199.108.154:443
github.githubassets.com
GitHub, Inc.
NL
suspicious
3480
iexplore.exe
185.199.110.133:443
avatars.githubusercontent.com
GitHub, Inc.
NL
malicious
3480
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3480
iexplore.exe
140.82.121.4:443
github.com
US
malicious

DNS requests

Domain
IP
Reputation
github.com
  • 140.82.121.4
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ctldl.windowsupdate.com
  • 8.241.9.254
  • 8.248.145.254
  • 67.27.157.126
  • 8.248.135.254
  • 8.248.149.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
github.githubassets.com
  • 185.199.108.154
  • 185.199.109.154
  • 185.199.110.154
  • 185.199.111.154
whitelisted
avatars.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.109.133
whitelisted
github-cloud.s3.amazonaws.com
  • 52.217.79.124
  • 52.217.37.100
shared
user-images.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/bill-zhanxg/NoEscape.exe-Download/tree/main/NoEscape.exe