File name:

Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.7z

Full analysis: https://app.any.run/tasks/b1c635b8-f5c1-44f1-b8b1-e7e6df9b5f28
Verdict: Malicious activity
Threats:

Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 21:51:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
arch-exec
cerber
ransomware
evasion
possible-phishing
phish-url
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

E3D815163AFDDCA655CC319F0F804103

SHA1:

08ADC9EA5BD6CFA8E780D9FB0C6983E2BFEB854A

SHA256:

1C4819A0FC906D37386472C9859F9176FB7BAC637E6ECCC15E21DF31AA8B0C9B

SSDEEP:

3072:IJ5W+wWLI1onFF2e9QUiQQEvl9VIPpuxaaL78ks:M4WLz2gQIvvqUhL5s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CERBER mutex has been found

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Create files in the Startup directory

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)

    • Changes the autorun value in the registry

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • The process uses screensaver hijack for persistence

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Starts CMD.EXE for self-deleting

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Deletes shadow copies

      • BdeUnlockWizard.exe (PID: 988)

    • Using BCDEDIT.EXE to modify recovery options

      • BdeUnlockWizard.exe (PID: 988)

  • SUSPICIOUS

    • Starts itself from another location

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)

    • Executable content was dropped or overwritten

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)

    • Starts CMD.EXE for commands execution

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Reads the Internet Settings

      • BdeUnlockWizard.exe (PID: 988)
      • WMIC.exe (PID: 3420)

    • Reads security settings of Internet Explorer

      • BdeUnlockWizard.exe (PID: 988)

    • Checks for external IP

      • BdeUnlockWizard.exe (PID: 988)
      • svchost.exe (PID: 1080)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3640)

    • Hides command output

      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 3624)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 3624)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 3624)

    • The process executes VB scripts

      • BdeUnlockWizard.exe (PID: 988)

    • Start notepad (likely ransomware note)

      • BdeUnlockWizard.exe (PID: 988)

    • There is functionality for taking screenshot (YARA)

      • BdeUnlockWizard.exe (PID: 988)

    • Possibly a phishing URL contains email has been detected

      • msedge.exe (PID: 1168)

  • INFO

    • Manual execution by a user

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • msedge.exe (PID: 996)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1224)

    • Checks supported languages

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Reads the computer name

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Reads the machine GUID from the registry

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Creates files or folders in the user directory

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Checks proxy server information

      • BdeUnlockWizard.exe (PID: 988)

    • Local mutex for internet shortcut management

      • BdeUnlockWizard.exe (PID: 988)

    • Application launched itself

      • msedge.exe (PID: 3404)
      • msedge.exe (PID: 996)
      • msedge.exe (PID: 1168)

    • Create files in a temporary directory

      • BdeUnlockWizard.exe (PID: 988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2017:03:05 22:23:38+00:00
ArchivedFileName: Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
40
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe #CERBER trojan-ransom.win32.zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe #CERBER bdeunlockwizard.exe cmd.exe no specs taskkill.exe no specs ping.exe no specs vssadmin.exe no specs vssvc.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs svchost.exe msedge.exe no specs notepad.exe no specs msedge.exe no specs wscript.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs taskkill.exe no specs ping.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 --field-trial-handle=1304,i,4177071377510477583,5345970103072673720,131072 --enable-features=msMicrosoftRootStoreUsed /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
220"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1552 --field-trial-handle=1304,i,4177071377510477583,5345970103072673720,131072 --enable-features=msMicrosoftRootStoreUsed /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
328"C:\Users\admin\Desktop\Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe" C:\Users\admin\Desktop\Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe
explorer.exe
User:
admin
Company:
Whiffles Hee
Integrity Level:
HIGH
Description:
courb destructing
Exit code:
0
Version:
6.6.0.13695
Modules
Images
c:\users\admin\desktop\trojan-ransom.win32.zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\olesvr32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
912"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\# DECRYPT MY FILES #.vbs" C:\Windows\System32\wscript.exeBdeUnlockWizard.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
988"C:\Users\admin\AppData\Roaming\{6B977300-2501-F740-F2C0-799D6ACA21C2}\BdeUnlockWizard.exe"C:\Users\admin\AppData\Roaming\{6B977300-2501-F740-F2C0-799D6ACA21C2}\BdeUnlockWizard.exe
Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe
User:
admin
Company:
Whiffles Hee
Integrity Level:
HIGH
Description:
courb destructing
Exit code:
0
Version:
6.6.0.13695
Modules
Images
c:\users\admin\appdata\roaming\{6b977300-2501-f740-f2c0-799d6aca21c2}\bdeunlockwizard.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\olesvr32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
996"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --enable-features=msMicrosoftRootStoreUsed --flag-switches-end --do-not-de-elevate http://cerberhhyed5frqa.xmfir0.win/0E6A-7CD7-32AE-0063-70D3C:\Program Files\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1080C:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1168"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\admin\Desktop\# DECRYPT MY FILES #.htmlC:\Program Files\Microsoft\Edge\Application\msedge.exeBdeUnlockWizard.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1224"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1336"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1304,i,4177071377510477583,5345970103072673720,131072 --enable-features=msMicrosoftRootStoreUsed /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
10 254
Read events
10 036
Write events
199
Delete events
19

Modification events

(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1080) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet
Operation:writeName:{4040CF00-1B3E-486A-B407-FA14C56B6FC0}
Value:
D4DA6D39D73C
(PID) Process:(1224) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.7z
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
6
Suspicious files
1 150
Text files
640
Unknown types
0

Dropped files

PID
Process
Filename
Type
1224WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1224.31474\Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exeexecutable
MD5:F06F331393CEB572DCCD09C0176FC6BF
SHA256:E54F555DB8F72232D7C130104C6B8CC5B32887634E8E2DA7158252E3C0CAF6F3
328Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BdeUnlockWizard.lnkbinary
MD5:38CE0DFD4FE30CA3D0E0266FB3734D44
SHA256:E6784EC4D6493632309F4A256CD26A2E2A6082D24CAEA3B456A8AB4C5EE5CE97
328Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exeC:\Users\admin\AppData\Roaming\{6B977300-2501-F740-F2C0-799D6ACA21C2}\BdeUnlockWizard.exeexecutable
MD5:F06F331393CEB572DCCD09C0176FC6BF
SHA256:E54F555DB8F72232D7C130104C6B8CC5B32887634E8E2DA7158252E3C0CAF6F3
988BdeUnlockWizard.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlbinary
MD5:CA30D9A39EF7F6DA1E7EF8B85906F582
SHA256:0F79E243C8BBCF6317EB99A0EE5B68B7D0524DC238D9C5CED2F67CAA77785BC7
988BdeUnlockWizard.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\json[1].jsonbinary
MD5:C0F25B1F2A7CF4E0DCFD1C530E98EC90
SHA256:FA52581A25BBE45EC9B9C8088FAA13EBC492E1C4F13AFB69C75102F7770FC3A8
988BdeUnlockWizard.exeC:\Users\admin\Downloads\8iLAjj39j2.cerberbinary
MD5:E903195240110BCC1A257CDA41D8F6E0
SHA256:1E899018595FCB04E4912BA085313FF4E4D59BF7381CBD5E8D11E0E0C1C63A20
988BdeUnlockWizard.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\json[1].htmhtml
MD5:E89F75F918DBDCEE28604D4E09DD71D7
SHA256:6DC9C7FC93BB488BB0520A6C780A8D3C0FB5486A4711ACA49B4C53FAC7393023
988BdeUnlockWizard.exeC:\Users\admin\Pictures\consumersep.jpgbinary
MD5:7962873F1E90A0CDA4449CB563E8F4D8
SHA256:A2266E08F1E6BA421DD6A44AEB2F8656738775D5DC446575C1486A91622E4AD5
988BdeUnlockWizard.exeC:\Users\admin\Downloads\edgestories.pngbinary
MD5:E903195240110BCC1A257CDA41D8F6E0
SHA256:1E899018595FCB04E4912BA085313FF4E4D59BF7381CBD5E8D11E0E0C1C63A20
988BdeUnlockWizard.exeC:\Users\admin\Documents\rentalsarticle.rtfbinary
MD5:C5234A97570AF9F66AA214155FCD6703
SHA256:C187A842A342EC1AEC61ED3514CAA6259FE22BA2718E70FA800BA482444D239A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
49 060
DNS requests
21
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
988
BdeUnlockWizard.exe
GET
403
34.117.59.81:80
http://ipinfo.io/json
unknown
whitelisted
988
BdeUnlockWizard.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
988
BdeUnlockWizard.exe
GET
200
15.197.148.33:80
http://freegeoip.net/json/
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
988
BdeUnlockWizard.exe
85.93.0.0:6892
unknown
988
BdeUnlockWizard.exe
85.93.0.1:6892
unknown
988
BdeUnlockWizard.exe
85.93.0.2:6892
unknown
988
BdeUnlockWizard.exe
85.93.0.10:6892
unknown
988
BdeUnlockWizard.exe
85.93.0.7:6892
unknown
988
BdeUnlockWizard.exe
85.93.0.6:6892
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
  • 172.217.23.206
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
freegeoip.net
  • 15.197.148.33
  • 3.33.130.190
shared
ip-api.com
  • 208.95.112.1
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
cerberhhyed5frqa.xmfir0.win
unknown
www.bing.com
  • 104.126.37.163
  • 104.126.37.123
  • 104.126.37.139
  • 104.126.37.130
  • 104.126.37.145
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
988
BdeUnlockWizard.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
988
BdeUnlockWizard.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
1080
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
1080
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (freegeiop .net in DNS lookup)
1080
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.7z