File name:

Cyberpunk 2077 v6.15 (2021 Update).rar

Full analysis: https://app.any.run/tasks/6a312f39-edcc-4a67-837f-868879cc6773
Verdict: Malicious activity
Analysis date: August 04, 2023, 15:24:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

2C7B2E2D25DFB94495F898500527E8D8

SHA1:

61EA0130ADD1C3DAE9B89303DBB660B31FEC20F4

SHA256:

DFA8DE4B5BD0988D7233CF43BEA10879E8C700FBF69CA187428456AB82C33AAB

SSDEEP:

98304:+ay8P3DkDOgkjEBA43Or6uDfilxC0v+3ECjIir05+JKe5G6tZTaD027+mw:+ay8/6vDBAuOr6kYp+tEK6eKe5GoZF2U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • Setup.exe (PID: 680)
      • Setup.exe (PID: 3524)

    • Reads the Internet Settings

      • Setup.exe (PID: 1616)

    • Checks for external IP

      • Setup.exe (PID: 1616)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 2676)
      • Setup.exe (PID: 1616)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2676)
      • Setup.exe (PID: 680)
      • Setup.exe (PID: 1616)
      • Setup.exe (PID: 3412)
      • Setup.exe (PID: 3524)

    • The process checks LSA protection

      • wmpnscfg.exe (PID: 2676)
      • Setup.exe (PID: 1616)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 2676)
      • Setup.exe (PID: 1616)

    • Manual execution by a user

      • Setup.exe (PID: 680)
      • WinRAR.exe (PID: 1128)
      • Setup.exe (PID: 3332)
      • Setup.exe (PID: 3524)
      • Setup.exe (PID: 3712)

    • Checks proxy server information

      • Setup.exe (PID: 1616)

    • Creates files in the program directory

      • Setup.exe (PID: 1616)

    • Creates files or folders in the user directory

      • Setup.exe (PID: 1616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
9
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs setup.exe no specs setup.exe setup.exe setup.exe no specs setup.exe setup.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
680"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exe
explorer.exe
User:
admin
Company:
Ilya Morozov
Integrity Level:
HIGH
Description:
Balabolka
Exit code:
0
Version:
2.15.0.783
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1128"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Cyberpunk 2077 v6.15 (2021 Update)\Setup (password is THEPIRATEBAY007).zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1616"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exe
Setup.exe
User:
admin
Company:
Ilya Morozov
Integrity Level:
HIGH
Description:
Balabolka
Exit code:
0
Version:
2.15.0.783
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
2676"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3332"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeexplorer.exe
User:
admin
Company:
Ilya Morozov
Integrity Level:
MEDIUM
Description:
Balabolka
Exit code:
3221226540
Version:
2.15.0.783
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\setup.exe
3344"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Cyberpunk 2077 v6.15 (2021 Update).rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
3412"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeSetup.exe
User:
admin
Company:
Ilya Morozov
Integrity Level:
HIGH
Description:
Balabolka
Exit code:
0
Version:
2.15.0.783
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
3524"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exe
explorer.exe
User:
admin
Company:
Ilya Morozov
Integrity Level:
HIGH
Description:
Balabolka
Exit code:
0
Version:
2.15.0.783
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
3712"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeexplorer.exe
User:
admin
Company:
Ilya Morozov
Integrity Level:
MEDIUM
Description:
Balabolka
Exit code:
3221226540
Version:
2.15.0.783
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
Total events
2 099
Read events
2 045
Write events
51
Delete events
3

Modification events

(PID) Process:(2676) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A5B0CB00-21D9-41E0-AEFE-E3E1C3D4AF17}\{F0303942-585A-4D45-A8E2-548B1050486C}
Operation:delete keyName:(default)
Value:
(PID) Process:(2676) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A5B0CB00-21D9-41E0-AEFE-E3E1C3D4AF17}
Operation:delete keyName:(default)
Value:
(PID) Process:(2676) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{36027079-662D-4502-84FB-A17E56C10D0D}
Operation:delete keyName:(default)
Value:
(PID) Process:(3344) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
0
Suspicious files
3
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3344WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3344.14246\Cyberpunk 2077 v6.15 (2021 Update)\Cyberpunk 2077 v6.15 (2021 Update).dat
MD5:
SHA256:
1128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1128.15519\Setup.exe
MD5:
SHA256:
1616Setup.exeC:\ProgramData\krosqm.txttext
MD5:C948E528903E46AD028084F59EFD728A
SHA256:19DEFCE59366064CC525B4A2D0A83213FFD3632138E70F125921C3AA0FEAA852
1616Setup.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\2TDVBVWN.txttext
MD5:C948E528903E46AD028084F59EFD728A
SHA256:19DEFCE59366064CC525B4A2D0A83213FFD3632138E70F125921C3AA0FEAA852
3344WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3344.14246\Cyberpunk 2077 v6.15 (2021 Update)\Setup (password is THEPIRATEBAY007).zipcompressed
MD5:5A7B05AF6BE77D411D38E4B9603DE6FB
SHA256:F9FF859F39A9E54D733F9C3DA77A0C42A4F9C6C53ECCCCFD7E874B8B5018EC96
3344WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3344.14246\Cyberpunk 2077 v6.15 (2021 Update)\THEPIRATEBAY.ORG.urlbinary
MD5:F0A05245942DF80720C52D58064731EE
SHA256:650CAE89065A9B00E4A7A1F3DFE4FB03A33F5BF96453A71DB1C05B30F5469F66
3344WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3344.14246\Cyberpunk 2077 v6.15 (2021 Update)\READ HOW TO INSTALL.txttext
MD5:F0C167FF42EF37405C7E03BBCCB656CD
SHA256:8846AB9D218B3ACC19BBF05CC3442BD27E9D31AC2E36C2B5462ACDF0E6205E4E
3344WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3344.14246\Cyberpunk 2077 v6.15 (2021 Update)\Info.nfobinary
MD5:8FA14B9FB73DE9A4CE73B6970F388E62
SHA256:ADC1A4442FA4EA37E21BB5395F6862088395B64AF819CFE216F246FA60042DA0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
1
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1616
Setup.exe
GET
200
173.231.16.76:80
http://api.ipify.org/?format=xml
US
text
13 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2640
svchost.exe
239.255.255.250:1900
whitelisted
1616
Setup.exe
173.231.16.76:80
api.ipify.org
WEBNX
US
malicious
1616
Setup.exe
45.93.201.181:80
IT Resheniya LLC
RU
malicious

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 173.231.16.76
  • 104.237.62.211
  • 64.185.227.156
shared

Threats

PID
Process
Class
Message
1616
Setup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup (ipify .org)
1616
Setup.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] Received IP address from server as result of HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Cyberpunk 2077 v6.15 (2021 Update).rar