File name:

Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.7z

Full analysis: https://app.any.run/tasks/b1c635b8-f5c1-44f1-b8b1-e7e6df9b5f28
Verdict: Malicious activity
Threats:

Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 21:51:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
arch-exec
cerber
ransomware
evasion
possible-phishing
phish-url
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

E3D815163AFDDCA655CC319F0F804103

SHA1:

08ADC9EA5BD6CFA8E780D9FB0C6983E2BFEB854A

SHA256:

1C4819A0FC906D37386472C9859F9176FB7BAC637E6ECCC15E21DF31AA8B0C9B

SSDEEP:

3072:IJ5W+wWLI1onFF2e9QUiQQEvl9VIPpuxaaL78ks:M4WLz2gQIvvqUhL5s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CERBER mutex has been found

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Create files in the Startup directory

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)

    • Changes the autorun value in the registry

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • The process uses screensaver hijack for persistence

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Deletes shadow copies

      • BdeUnlockWizard.exe (PID: 988)

    • Using BCDEDIT.EXE to modify recovery options

      • BdeUnlockWizard.exe (PID: 988)

    • Starts CMD.EXE for self-deleting

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

  • SUSPICIOUS

    • Starts itself from another location

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)

    • Executable content was dropped or overwritten

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)

    • Reads the Internet Settings

      • BdeUnlockWizard.exe (PID: 988)
      • WMIC.exe (PID: 3420)

    • Reads security settings of Internet Explorer

      • BdeUnlockWizard.exe (PID: 988)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3640)

    • Checks for external IP

      • svchost.exe (PID: 1080)
      • BdeUnlockWizard.exe (PID: 988)

    • Starts CMD.EXE for commands execution

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 3624)

    • Hides command output

      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 3624)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 3624)

    • Possibly a phishing URL contains email has been detected

      • msedge.exe (PID: 1168)

    • Start notepad (likely ransomware note)

      • BdeUnlockWizard.exe (PID: 988)

    • The process executes VB scripts

      • BdeUnlockWizard.exe (PID: 988)

    • There is functionality for taking screenshot (YARA)

      • BdeUnlockWizard.exe (PID: 988)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1224)

    • Manual execution by a user

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • msedge.exe (PID: 996)

    • Reads the computer name

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Reads the machine GUID from the registry

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Checks supported languages

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Creates files or folders in the user directory

      • Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe (PID: 328)
      • BdeUnlockWizard.exe (PID: 988)

    • Checks proxy server information

      • BdeUnlockWizard.exe (PID: 988)

    • Create files in a temporary directory

      • BdeUnlockWizard.exe (PID: 988)

    • Local mutex for internet shortcut management

      • BdeUnlockWizard.exe (PID: 988)

    • Application launched itself

      • msedge.exe (PID: 1168)
      • msedge.exe (PID: 996)
      • msedge.exe (PID: 3404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2017:03:05 22:23:38+00:00
ArchivedFileName: Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
40
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe #CERBER trojan-ransom.win32.zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe #CERBER bdeunlockwizard.exe cmd.exe no specs taskkill.exe no specs ping.exe no specs vssadmin.exe no specs vssvc.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs svchost.exe msedge.exe no specs notepad.exe no specs msedge.exe no specs wscript.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs taskkill.exe no specs ping.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 --field-trial-handle=1304,i,4177071377510477583,5345970103072673720,131072 --enable-features=msMicrosoftRootStoreUsed /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
220"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1552 --field-trial-handle=1304,i,4177071377510477583,5345970103072673720,131072 --enable-features=msMicrosoftRootStoreUsed /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
328"C:\Users\admin\Desktop\Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe" C:\Users\admin\Desktop\Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe
explorer.exe
User:
admin
Company:
Whiffles Hee
Integrity Level:
HIGH
Description:
courb destructing
Exit code:
0
Version:
6.6.0.13695
Modules
Images
c:\users\admin\desktop\trojan-ransom.win32.zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\olesvr32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
912"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\# DECRYPT MY FILES #.vbs" C:\Windows\System32\wscript.exeBdeUnlockWizard.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
988"C:\Users\admin\AppData\Roaming\{6B977300-2501-F740-F2C0-799D6ACA21C2}\BdeUnlockWizard.exe"C:\Users\admin\AppData\Roaming\{6B977300-2501-F740-F2C0-799D6ACA21C2}\BdeUnlockWizard.exe
Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe
User:
admin
Company:
Whiffles Hee
Integrity Level:
HIGH
Description:
courb destructing
Exit code:
0
Version:
6.6.0.13695
Modules
Images
c:\users\admin\appdata\roaming\{6b977300-2501-f740-f2c0-799d6aca21c2}\bdeunlockwizard.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\olesvr32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
996"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --enable-features=msMicrosoftRootStoreUsed --flag-switches-end --do-not-de-elevate http://cerberhhyed5frqa.xmfir0.win/0E6A-7CD7-32AE-0063-70D3C:\Program Files\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1080C:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1168"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\admin\Desktop\# DECRYPT MY FILES #.htmlC:\Program Files\Microsoft\Edge\Application\msedge.exeBdeUnlockWizard.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1224"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1336"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1304,i,4177071377510477583,5345970103072673720,131072 --enable-features=msMicrosoftRootStoreUsed /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
10 254
Read events
10 036
Write events
199
Delete events
19

Modification events

(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1080) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet
Operation:writeName:{4040CF00-1B3E-486A-B407-FA14C56B6FC0}
Value:
D4DA6D39D73C
(PID) Process:(1224) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.7z
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
6
Suspicious files
1 150
Text files
640
Unknown types
0

Dropped files

PID
Process
Filename
Type
988BdeUnlockWizard.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\json[1].jsonbinary
MD5:C0F25B1F2A7CF4E0DCFD1C530E98EC90
SHA256:FA52581A25BBE45EC9B9C8088FAA13EBC492E1C4F13AFB69C75102F7770FC3A8
988BdeUnlockWizard.exeC:\Users\admin\Downloads\edgestories.pngbinary
MD5:E903195240110BCC1A257CDA41D8F6E0
SHA256:1E899018595FCB04E4912BA085313FF4E4D59BF7381CBD5E8D11E0E0C1C63A20
988BdeUnlockWizard.exeC:\Users\admin\Documents\rentalsarticle.rtfbinary
MD5:C5234A97570AF9F66AA214155FCD6703
SHA256:C187A842A342EC1AEC61ED3514CAA6259FE22BA2718E70FA800BA482444D239A
988BdeUnlockWizard.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\json[1].htmhtml
MD5:E89F75F918DBDCEE28604D4E09DD71D7
SHA256:6DC9C7FC93BB488BB0520A6C780A8D3C0FB5486A4711ACA49B4C53FAC7393023
1224WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1224.31474\Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exeexecutable
MD5:F06F331393CEB572DCCD09C0176FC6BF
SHA256:E54F555DB8F72232D7C130104C6B8CC5B32887634E8E2DA7158252E3C0CAF6F3
328Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exeC:\Users\admin\AppData\Roaming\{6B977300-2501-F740-F2C0-799D6ACA21C2}\BdeUnlockWizard.exeexecutable
MD5:F06F331393CEB572DCCD09C0176FC6BF
SHA256:E54F555DB8F72232D7C130104C6B8CC5B32887634E8E2DA7158252E3C0CAF6F3
328Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BdeUnlockWizard.lnkbinary
MD5:38CE0DFD4FE30CA3D0E0266FB3734D44
SHA256:E6784EC4D6493632309F4A256CD26A2E2A6082D24CAEA3B456A8AB4C5EE5CE97
988BdeUnlockWizard.exeC:\Users\admin\Pictures\individualfully.jpgbinary
MD5:AAF45A81E8141F889AF95E10310734C1
SHA256:7FDE3CA371DDA7529A27F3B6697C0D244C69AF48B7950F2EC9172B4A592ECA04
988BdeUnlockWizard.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmlbinary
MD5:B7BADBB8D529B424F227B47983BEBD9A
SHA256:AE7C48BDFF33C3316366FE562E71238A89B2E74DCF299DC36DF72014E97E20DD
988BdeUnlockWizard.exeC:\Users\admin\Pictures\tTJB_yuugu.cerberbinary
MD5:AAF45A81E8141F889AF95E10310734C1
SHA256:7FDE3CA371DDA7529A27F3B6697C0D244C69AF48B7950F2EC9172B4A592ECA04
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
49 060
DNS requests
21
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
988
BdeUnlockWizard.exe
GET
403
34.117.59.81:80
http://ipinfo.io/json
unknown
whitelisted
988
BdeUnlockWizard.exe
GET
200
15.197.148.33:80
http://freegeoip.net/json/
unknown
shared
988
BdeUnlockWizard.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
988
BdeUnlockWizard.exe
85.93.0.0:6892
unknown
988
BdeUnlockWizard.exe
85.93.0.1:6892
unknown
988
BdeUnlockWizard.exe
85.93.0.2:6892
unknown
988
BdeUnlockWizard.exe
85.93.0.10:6892
unknown
988
BdeUnlockWizard.exe
85.93.0.7:6892
unknown
988
BdeUnlockWizard.exe
85.93.0.6:6892
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
  • 172.217.23.206
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
freegeoip.net
  • 15.197.148.33
  • 3.33.130.190
shared
ip-api.com
  • 208.95.112.1
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
cerberhhyed5frqa.xmfir0.win
unknown
www.bing.com
  • 104.126.37.163
  • 104.126.37.123
  • 104.126.37.139
  • 104.126.37.130
  • 104.126.37.145
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
988
BdeUnlockWizard.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
988
BdeUnlockWizard.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
1080
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
1080
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (freegeiop .net in DNS lookup)
1080
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.7z