download:

/kh4sh3i/Ransomware-Samples/blob/main/Jigsaw/Ransomware.Jigsaw.zip

Full analysis: https://app.any.run/tasks/dd1bcdad-d8ac-4afe-a5c1-887cf0bf4367
Verdict: Malicious activity
Analysis date: January 27, 2024, 00:23:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/json
File info: JSON data
MD5:

E5465A34C8FDB3E63F7617C6B209B69E

SHA1:

B051F966A26D0A76E9CC92FEC76A2CEB0B44D5F8

SHA256:

6EE59E613C88EF4A27F207A232C272E092CEDBEBF52B013D56845EC13ABEBC01

SSDEEP:

96:WG9dfPVtXrRCkb11B5VbltZLbkrkSDOSDMwTh9uH2xJ1vHHMu+t4V:WG9dfPVJVCkb11B5VbltZLbkQSLMc9uI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • jigsa.exe (PID: 1848)
      • drpbx.exe (PID: 1776)

    • Changes the autorun value in the registry

      • jigsa.exe (PID: 2480)
      • jigsa.exe (PID: 2312)

    • Steals credentials from Web Browsers

      • drpbx.exe (PID: 1776)

    • Modifies files in the Chrome extension folder

      • drpbx.exe (PID: 1776)

    • Actions looks like stealing of personal data

      • drpbx.exe (PID: 1776)

  • SUSPICIOUS

    • Reads the Internet Settings

      • jigsa.exe (PID: 1848)

    • Executable content was dropped or overwritten

      • jigsa.exe (PID: 1848)

    • Starts itself from another location

      • jigsa.exe (PID: 1848)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 2672)

    • Manual execution by a user

      • WinRAR.exe (PID: 452)
      • WinRAR.exe (PID: 2484)
      • WinRAR.exe (PID: 2316)
      • msedge.exe (PID: 2672)
      • WinRAR.exe (PID: 3368)
      • jigsa.exe (PID: 1848)
      • jigsa.exe (PID: 2312)
      • jigsa.exe (PID: 2480)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 3368)
      • msedge.exe (PID: 2020)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3368)

    • Checks supported languages

      • jigsa.exe (PID: 1848)
      • drpbx.exe (PID: 1776)
      • jigsa.exe (PID: 2480)
      • jigsa.exe (PID: 2312)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3368)

    • Creates files or folders in the user directory

      • jigsa.exe (PID: 1848)
      • drpbx.exe (PID: 1776)

    • Reads the computer name

      • jigsa.exe (PID: 1848)
      • jigsa.exe (PID: 2480)
      • jigsa.exe (PID: 2312)

    • Reads the machine GUID from the registry

      • jigsa.exe (PID: 1848)
      • jigsa.exe (PID: 2480)
      • drpbx.exe (PID: 1776)
      • jigsa.exe (PID: 2312)

    • Creates files in the program directory

      • drpbx.exe (PID: 1776)

    • Create files in a temporary directory

      • drpbx.exe (PID: 1776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

EXIF

JSON

PayloadAllShortcutsEnabled: -
PayloadBlobCsv: null
PayloadBlobCsvError: null
PayloadBlobDependabotInfoConfigFilePath: null
PayloadBlobDependabotInfoConfigurationNoticeDismissed: null
PayloadBlobDependabotInfoCurrentUserCanAdminRepo: -
PayloadBlobDependabotInfoDismissConfigurationNoticePath: /settings/dismiss-notice/dependabot_configuration_notice
PayloadBlobDependabotInfoNetworkDependabotPath: /kh4sh3i/Ransomware-Samples/network/updates
PayloadBlobDependabotInfoRepoAlertsPath: /kh4sh3i/Ransomware-Samples/security/dependabot
PayloadBlobDependabotInfoRepoOwnerIsOrg: -
PayloadBlobDependabotInfoRepoSecurityAndAnalysisPath: /kh4sh3i/Ransomware-Samples/settings/security_analysis
PayloadBlobDependabotInfoShowConfigurationBanner: -
PayloadBlobDiscussionTemplate: null
PayloadBlobDisplayName: Ransomware.Jigsaw.zip
PayloadBlobDisplayUrl: https://github.com/kh4sh3i/Ransomware-Samples/blob/main/Jigsaw/Ransomware.Jigsaw.zip?raw=true
PayloadBlobHeaderInfoBlobSize: 240 KB
PayloadBlobHeaderInfoDeleteInfoDeleteTooltip: You must be signed in to make or propose changes
PayloadBlobHeaderInfoEditInfoEditTooltip: You must be signed in to make or propose changes
PayloadBlobHeaderInfoGhDesktopPath: https://desktop.github.com
PayloadBlobHeaderInfoGitLfsPath: null
PayloadBlobHeaderInfoIsCSV: -
PayloadBlobHeaderInfoIsRichtext: -
PayloadBlobHeaderInfoLineInfoTruncatedLoc: null
PayloadBlobHeaderInfoLineInfoTruncatedSloc: null
PayloadBlobHeaderInfoMode: file
PayloadBlobHeaderInfoOnBranch:
PayloadBlobHeaderInfoShortPath: e912ba0
PayloadBlobHeaderInfoSiteNavLoginPath: /login?return_to=https%3A%2F%2Fgithub.com%2Fkh4sh3i%2FRansomware-Samples%2Fblob%2Fmain%2FJigsaw%2FRansomware.Jigsaw.zip
PayloadBlobHeaderInfoToc: null
PayloadBlobImage: -
PayloadBlobIsCodeownersFile: null
PayloadBlobIsPlain: -
PayloadBlobIsValidLegacyIssueTemplate: -
PayloadBlobIssueTemplate: null
PayloadBlobIssueTemplateHelpUrl: https://docs.github.com/articles/about-issue-and-pull-request-templates
PayloadBlobLanguage: null
PayloadBlobLanguageID: null
PayloadBlobLarge: -
PayloadBlobLoggedIn: -
PayloadBlobNewDiscussionPath: /kh4sh3i/Ransomware-Samples/discussions/new
PayloadBlobNewIssuePath: /kh4sh3i/Ransomware-Samples/issues/new
PayloadBlobPlanSupportInfoRepoIsFork: null
PayloadBlobPlanSupportInfoRepoOwnedByCurrentUser: null
PayloadBlobPlanSupportInfoRequestFullPath: /kh4sh3i/Ransomware-Samples/blob/main/Jigsaw/Ransomware.Jigsaw.zip
PayloadBlobPlanSupportInfoShowFreeOrgGatedFeatureMessage: null
PayloadBlobPlanSupportInfoShowPlanSupportBanner: null
PayloadBlobPlanSupportInfoUpgradeDataAttributes: null
PayloadBlobPlanSupportInfoUpgradePath: null
PayloadBlobPublishBannersInfoDismissActionNoticePath: /settings/dismiss-notice/publish_action_from_dockerfile
PayloadBlobPublishBannersInfoDismissStackNoticePath: /settings/dismiss-notice/publish_stack_from_file
PayloadBlobPublishBannersInfoReleasePath: /kh4sh3i/Ransomware-Samples/releases/new?marketplace=true
PayloadBlobPublishBannersInfoShowPublishActionBanner: -
PayloadBlobPublishBannersInfoShowPublishStackBanner: -
PayloadBlobRawBlobUrl: https://github.com/kh4sh3i/Ransomware-Samples/raw/main/Jigsaw/Ransomware.Jigsaw.zip
PayloadBlobRawLines: null
PayloadBlobRenderImageOrRaw:
PayloadBlobRenderedFileInfo: null
PayloadBlobRichText: null
PayloadBlobShortPath: null
PayloadBlobStylingDirectives: null
PayloadBlobSymbols: null
PayloadBlobTabSize: 8
PayloadBlobTopBannersInfoActionsOnboardingTip: null
PayloadBlobTopBannersInfoCitationHelpUrl: https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-citation-files
PayloadBlobTopBannersInfoGlobalPreferredFundingPath: null
PayloadBlobTopBannersInfoOverridingGlobalFundingFile: -
PayloadBlobTopBannersInfoRepoName: Ransomware-Samples
PayloadBlobTopBannersInfoRepoOwner: kh4sh3i
PayloadBlobTopBannersInfoShowDependabotConfigurationBanner: -
PayloadBlobTopBannersInfoShowInvalidCitationWarning: -
PayloadBlobTruncated: -
PayloadBlobViewable: -
PayloadBlobWorkflowRedirectUrl: null
PayloadCopilotAccessAllowed: -
PayloadCopilotInfo: null
PayloadCsrf_tokenskh4sh3iRansomware-SamplesbranchesPost: _1bX5uKSuXsy0eTEIndw8A944X68XhfX-Pr0WG_yn9WN1BW_6YtRpaFOu9twDMGUaWPLVHsNZzy3JUXNk7G8bA
PayloadCsrf_tokensrepospreferencesPost: iyy5O9iCggtW_mWWb1d9EbuVRa9fgLHsQzhywZ7o22lYLn4Ki57U5pnz_1X0gBrWbvCtDlyACY7DnMSEv5T1Aw
PayloadCurrentUser: null
PayloadFileTreeItemsContentType:
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • file
  • file
  • file
PayloadFileTreeItemsName:
  • Cerber
  • Cryptowall
  • Jigsaw
  • Locky
  • Mamba
  • Matsnu
  • Petrwrap
  • Petya
  • Radamant
  • RedBoot
  • Rex
  • Satana
  • TeslaCrypt
  • Thanos
  • Unnamed_0
  • Vipasana
  • WannaCry
  • WannaCry_Plus
  • LICENSE
  • README.md
  • ransomware.png
PayloadFileTreeItemsPath:
  • Cerber
  • Cryptowall
  • Jigsaw
  • Locky
  • Mamba
  • Matsnu
  • Petrwrap
  • Petya
  • Radamant
  • RedBoot
  • Rex
  • Satana
  • TeslaCrypt
  • Thanos
  • Unnamed_0
  • Vipasana
  • WannaCry
  • WannaCry_Plus
  • LICENSE
  • README.md
  • ransomware.png
PayloadFileTreeTotalCount: 21
PayloadFileTreeJigsawItemsContentType: file
PayloadFileTreeJigsawItemsName: Ransomware.Jigsaw.zip
PayloadFileTreeJigsawItemsPath: Jigsaw/Ransomware.Jigsaw.zip
PayloadFileTreeJigsawTotalCount: 1
PayloadFileTreeProcessingTime: 6.953249
PayloadPath: Jigsaw/Ransomware.Jigsaw.zip
PayloadReducedMotionEnabled: null
PayloadRefInfoCanEdit: -
PayloadRefInfoCurrentOid: 71f6062209bed1c52b63637746239868da0da49e
PayloadRefInfoListCacheKey: v0:1628594348.8846889
PayloadRefInfoName: main
PayloadRefInfoRefType: branch
PayloadRepoCreatedAt: 2021-08-10T10:20:11.000Z
PayloadRepoCurrentUserCanPush: -
PayloadRepoDefaultBranch: main
PayloadRepoId: 394609962
PayloadRepoIsEmpty: -
PayloadRepoIsFork: -
PayloadRepoIsOrgOwned: -
PayloadRepoName: Ransomware-Samples
PayloadRepoOwnerAvatar: https://avatars.githubusercontent.com/u/64693844?v=4
PayloadRepoOwnerLogin: kh4sh3i
PayloadRepoPrivate: -
PayloadRepoPublic:
PayloadSymbolsExpanded: -
PayloadTreeExpanded:
Title: Ransomware-Samples/Jigsaw/Ransomware.Jigsaw.zip at main · kh4sh3i/Ransomware-Samples
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
84
Monitored processes
39
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs winrar.exe no specs winrar.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs winrar.exe jigsa.exe drpbx.exe jigsa.exe jigsa.exe

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3992 --field-trial-handle=1312,i,2407239491874019720,4286521662024944836,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
452"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Ransomware.Jigsaw.zip" C:\Users\admin\Desktop\Ransomware.Jigsaw\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
1
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
604"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=4172 --field-trial-handle=1312,i,2407239491874019720,4286521662024944836,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
984"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4432 --field-trial-handle=1312,i,2407239491874019720,4286521662024944836,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1028"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2272 --field-trial-handle=1312,i,2407239491874019720,4286521662024944836,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1216"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3980 --field-trial-handle=1312,i,2407239491874019720,4286521662024944836,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1344"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3888 --field-trial-handle=1312,i,2407239491874019720,4286521662024944836,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1432"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3700 --field-trial-handle=1312,i,2407239491874019720,4286521662024944836,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1776"C:\Users\admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\admin\Downloads\Ransomware.Jigsaw\jigsa.exeC:\Users\admin\AppData\Local\Drpbx\drpbx.exe
jigsa.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
37.0.2.5583
Modules
Images
c:\users\admin\appdata\local\drpbx\drpbx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1848"C:\Users\admin\Downloads\Ransomware.Jigsaw\jigsa.exe" C:\Users\admin\Downloads\Ransomware.Jigsaw\jigsa.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
37.0.2.5583
Modules
Images
c:\users\admin\downloads\ransomware.jigsaw\jigsa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
69 693
Read events
69 596
Write events
96
Delete events
1

Modification events

(PID) Process:(2640) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Operation:writeName:Band56_0
Value:
38000000730100000402000000000000D4D0C8000000000000000000000000005C0104000000000039000000B40200000000000001000000
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Operation:writeName:Band56_1
Value:
38000000730100000500000000000000D4D0C8000000000000000000000000008C010C0000000000160000002A0000000000000002000000
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Operation:writeName:Band56_2
Value:
38000000730100000400000000000000D4D0C800000000000000000000000000AC0107000000000016000000640000000000000003000000
(PID) Process:(452) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
Executable files
34
Suspicious files
2 061
Text files
132
Unknown types
0

Dropped files

PID
Process
Filename
Type
2672msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1579bd.TMP
MD5:
SHA256:
2672msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2672msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1579dd.TMP
MD5:
SHA256:
2672msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
2672msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF157a89.TMP
MD5:
SHA256:
2672msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
2672msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Variationsbinary
MD5:961E3604F228B0D10541EBF921500C86
SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
1860msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pmabinary
MD5:C612E96CBFAC63232FC2062E15600FB1
SHA256:DB3C05D5EC0B6719A73E7F0BE84BCE9342772DA70567E7CE08CF6573480B38FF
2672msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datbinary
MD5:C7352A0E98449CC8AEDC1D6954C4CCD9
SHA256:3A1591F52AD31B5B0B48F97AB5E1361D0AD0FA0F584E8FE8EFD482801DC2B9B5
2672msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Last Versiontext
MD5:61FE7896F9494DCDF53480A325F4FB85
SHA256:ACFD3CD36E0DFCF1DCB67C7F31F2A5B9BA0815528A0C604D4330DFAA9E683E51
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
65
DNS requests
120
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2072
msedge.exe
204.79.197.203:443
ntp.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2072
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2072
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2672
msedge.exe
239.255.255.250:1900
whitelisted
2072
msedge.exe
23.37.226.113:443
assets.msn.com
Akamai International B.V.
DE
unknown
2072
msedge.exe
2.21.20.134:443
img-s-msn-com.akamaized.net
Akamai International B.V.
DE
unknown
2072
msedge.exe
23.53.43.121:443
th.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
ntp.msn.com
  • 204.79.197.203
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
assets.msn.com
  • 23.37.226.113
  • 23.37.226.80
whitelisted
img-s-msn-com.akamaized.net
  • 2.21.20.134
  • 2.21.20.136
whitelisted
sb.scorecardresearch.com
  • 18.245.60.76
  • 18.245.60.107
  • 18.245.60.72
  • 18.245.60.53
shared
th.bing.com
  • 23.53.43.121
  • 23.37.226.106
  • 23.53.43.115
whitelisted
www.bing.com
  • 23.53.43.115
  • 23.53.43.121
  • 23.37.226.106
  • 2.20.142.187
  • 2.20.142.154
whitelisted
c.msn.com
  • 68.219.88.97
whitelisted
c.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/kh4sh3i/Ransomware-Samples/blob/main/Jigsaw/Ransomware.Jigsaw.zip