File name:

SpotifySetup.exe

Full analysis: https://app.any.run/tasks/bf08ba18-afac-4739-9df3-cd265eabf90f
Verdict: Malicious activity
Analysis date: November 21, 2024, 23:55:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-html
arch-scr
github
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

15891DC8FCA93B18327774D9EB66B3BD

SHA1:

677938C1425C124F64088E98D4CA83CDE09B50A7

SHA256:

4248F53D62140F347163959B706527974D0AED7404139B84E3627B949CD10042

SSDEEP:

12288:+21U0/tSIlXD+ZAOckdukMHmQ+wLgcnWh1yH6QBKgPirVYVVVVVSA:Nj8I8ZA9aukMGPwrWzyauk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Spotify.exe (PID: 6860)

    • Starts CMD.EXE for commands execution

      • msedge.exe (PID: 4740)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • SpotifySetup.exe (PID: 5464)

    • Checks Windows Trust Settings

      • SpotifySetup.exe (PID: 5464)

    • Process drops legitimate windows executable

      • SpWebInst0.exe (PID: 6688)

    • Executable content was dropped or overwritten

      • SpWebInst0.exe (PID: 6688)

    • Application launched itself

      • Spotify.exe (PID: 6860)

    • Creates a software uninstall entry

      • SpWebInst0.exe (PID: 6688)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6556)
      • cmd.exe (PID: 7896)

    • The process checks if it is being run in the virtual environment

      • Spotify.exe (PID: 6860)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8704)
      • powershell.exe (PID: 6504)

    • The process executes Powershell scripts

      • cmd.exe (PID: 7896)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 7896)

    • Executing commands from a ".bat" file

      • msedge.exe (PID: 4740)

  • INFO

    • Checks supported languages

      • SpotifySetup.exe (PID: 5464)
      • SpWebInst0.exe (PID: 6688)
      • TextInputHost.exe (PID: 5404)
      • Spotify.exe (PID: 6860)
      • Spotify.exe (PID: 6912)
      • Spotify.exe (PID: 7068)
      • Spotify.exe (PID: 7076)
      • Spotify.exe (PID: 7000)
      • identity_helper.exe (PID: 8172)
      • Spotify.exe (PID: 8640)
      • Spotify.exe (PID: 8372)
      • Spotify.exe (PID: 6156)
      • Spotify.exe (PID: 6732)

    • Creates files or folders in the user directory

      • SpotifySetup.exe (PID: 5464)
      • SpWebInst0.exe (PID: 6688)
      • Spotify.exe (PID: 6860)
      • Spotify.exe (PID: 6912)
      • Spotify.exe (PID: 7076)

    • Checks proxy server information

      • SpotifySetup.exe (PID: 5464)
      • Spotify.exe (PID: 6860)
      • powershell.exe (PID: 8704)

    • Reads the computer name

      • SpotifySetup.exe (PID: 5464)
      • TextInputHost.exe (PID: 5404)
      • SpWebInst0.exe (PID: 6688)
      • Spotify.exe (PID: 7076)
      • Spotify.exe (PID: 7068)
      • Spotify.exe (PID: 6860)
      • identity_helper.exe (PID: 8172)
      • Spotify.exe (PID: 7000)
      • identity_helper.exe (PID: 3716)

    • Reads the software policy settings

      • SpotifySetup.exe (PID: 5464)
      • powershell.exe (PID: 8704)

    • Reads the machine GUID from the registry

      • SpotifySetup.exe (PID: 5464)
      • Spotify.exe (PID: 6860)

    • Manual execution by a user

      • cmd.exe (PID: 6556)
      • msedge.exe (PID: 4740)

    • Sends debugging messages

      • Spotify.exe (PID: 6860)

    • Process checks computer location settings

      • Spotify.exe (PID: 6860)
      • Spotify.exe (PID: 6732)

    • Application launched itself

      • msedge.exe (PID: 4740)
      • msedge.exe (PID: 7664)

    • Reads Environment values

      • identity_helper.exe (PID: 8172)
      • identity_helper.exe (PID: 3716)

    • Create files in a temporary directory

      • Spotify.exe (PID: 6860)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8704)
      • powershell.exe (PID: 6504)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7812)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 8704)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 8704)

    • Disables trace logs

      • powershell.exe (PID: 8704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1979:05:11 12:48:29+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.36
CodeSize: 433152
InitializedDataSize: 594944
UninitializedDataSize: -
EntryPoint: 0x1641
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.2.51.345
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Spotify Ltd
FileDescription: SpotifyInstaller
FileVersion: 0,0,0,0
InternalName: SpotifyInstaller
LegalCopyright: Copyright (c) 2024, Spotify Ltd
OriginalFileName: SpotifyInstaller.exe
ProductName: Spotify
ProductVersion: 1.2.51.345.gcc39d911
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
238
Monitored processes
99
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start spotifysetup.exe textinputhost.exe no specs cmd.exe no specs conhost.exe no specs spwebinst0.exe spotify.exe spotify.exe no specs spotify.exe no specs spotify.exe spotify.exe no specs spotify.exe no specs spotify.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs spotify.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs spotify.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
828"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3860 --field-trial-handle=2244,i,4577759261947481615,3147850985793346918,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
908"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5700 --field-trial-handle=2244,i,4577759261947481615,3147850985793346918,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1076"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4716 --field-trial-handle=2444,i,1386866524675053983,8326480944382601240,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1616"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6516 --field-trial-handle=2444,i,1386866524675053983,8326480944382601240,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
1804"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2444,i,1386866524675053983,8326480944382601240,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2676"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5072 --field-trial-handle=2444,i,1386866524675053983,8326480944382601240,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2736"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=7808 --field-trial-handle=2444,i,1386866524675053983,8326480944382601240,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2956"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2252 --field-trial-handle=2244,i,4577759261947481615,3147850985793346918,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3716"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4956 --field-trial-handle=2244,i,4577759261947481615,3147850985793346918,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3764"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7712 --field-trial-handle=2444,i,1386866524675053983,8326480944382601240,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
25 686
Read events
25 588
Write events
93
Delete events
5

Modification events

(PID) Process:(5464) SpotifySetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5464) SpotifySetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5464) SpotifySetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6688) SpWebInst0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Spotify Web Helper
Value:
(PID) Process:(6688) SpWebInst0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spotify
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe
(PID) Process:(6688) SpWebInst0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spotify
Operation:writeName:DisplayName
Value:
Spotify
(PID) Process:(6688) SpWebInst0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spotify
Operation:writeName:DisplayVersion
Value:
1.2.51.345.gcc39d911
(PID) Process:(6688) SpWebInst0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spotify
Operation:writeName:Version
Value:
1.2.51.345.gcc39d911
(PID) Process:(6688) SpWebInst0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spotify
Operation:writeName:InstallDate
Value:
20241121
(PID) Process:(6688) SpWebInst0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spotify
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Roaming\Spotify
Executable files
31
Suspicious files
1 218
Text files
259
Unknown types
137

Dropped files

PID
Process
Filename
Type
5464SpotifySetup.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\SpotifyFullSetupX64[1].exe
MD5:
SHA256:
5464SpotifySetup.exeC:\Users\admin\AppData\Roaming\Spotify\SpWebInst0.exe
MD5:
SHA256:
5464SpotifySetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_4D90A79F4986A67200F4F4B3378FFAD0der
MD5:AB24EBABBFB2F16C494817948CADFAB5
SHA256:1ACDCF40F70B98A92BB2821779DDC7CD5DCDDDB8C4781BFFB859A6980FBBE620
6688SpWebInst0.exeC:\Users\admin\AppData\Roaming\Spotify\~TMP_6688_0_~compressed
MD5:870FB84DEBD15E3DD5861B312C65E2C8
SHA256:B6575138AF9C4C3650818EE4C2368A2FEE4B9902B2E06BE809FCB620F3899458
5464SpotifySetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_4D90A79F4986A67200F4F4B3378FFAD0binary
MD5:ADA162EFDF5FB50A8A79D813B268F006
SHA256:D576B9C9273551D16CDB790CF702A84DCB7DE2BF98386CF05DC16DF5A4C6E1BA
6688SpWebInst0.exeC:\Users\admin\AppData\Roaming\Spotify\~TMP_6688_26_~binary
MD5:D51730E0F49B779A8797A84EE2A5DF13
SHA256:D27F2DA3CFD6182670AAD9334253039070FA68951B820A0E2466DC8A33B8A59B
6688SpWebInst0.exeC:\Users\admin\AppData\Roaming\Spotify\~TMP_6688_22_~binary
MD5:65E8D8AEE41DD20559F9AB2423FEAA6B
SHA256:BC082094F5FCC87EB8FD555E49CE797E3CF25EB1216DE710AE922F5A507D2529
6688SpWebInst0.exeC:\Users\admin\AppData\Roaming\Spotify\~TMP_6688_6_~binary
MD5:19BAD258DDF5B876DEABB708810093E6
SHA256:B78C9110523A405EEDC5C693C5D1E0422F3AE1FB5BB312A3F518AD8C7645F8DE
6688SpWebInst0.exeC:\Users\admin\AppData\Roaming\Spotify\~TMP_6688_14_~binary
MD5:8D2FDBE926FCBF8F7C5A987B94C8D11C
SHA256:6DE3388963D2092E6E2C6105C62A44730E4553393B9FF8F227CF6A8DCFFBBD7E
6688SpWebInst0.exeC:\Users\admin\AppData\Roaming\Spotify\~TMP_6688_16_~gmo
MD5:1CA307AE3A4BEF36F49AEFF37A3FD2CC
SHA256:4D498B2FD63284D6980E8EBF0289649E5F04632181DDA1D4CD476DA47CD4E2AC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
65
TCP/UDP connections
215
DNS requests
265
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5464
SpotifySetup.exe
GET
200
104.18.20.226:80
http://ocsp2.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEH%2B2oOpV4owETJUuldY0n1w%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
6712
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6712
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4932
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
23.212.110.152:443
www.bing.com
Akamai International B.V.
CZ
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.37
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.microsoft.com
  • 2.19.217.218
whitelisted
www.bing.com
  • 23.212.110.152
  • 23.212.110.176
  • 23.212.110.168
  • 23.212.110.178
  • 23.212.110.163
  • 23.212.110.161
  • 23.212.110.177
  • 23.212.110.169
  • 23.212.110.162
  • 23.212.110.179
  • 23.212.110.209
  • 23.212.110.171
  • 23.212.110.208
  • 23.212.110.137
  • 23.212.110.187
  • 23.212.110.136
  • 23.212.110.218
  • 23.212.110.154
  • 23.212.110.144
  • 23.212.110.170
  • 2.23.209.133
  • 2.23.209.187
  • 2.23.209.130
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
download.scdn.co
  • 199.232.214.248
  • 199.232.210.248
whitelisted
ocsp2.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
r.bing.com
  • 23.212.110.187
  • 23.212.110.185
  • 23.212.110.171
  • 23.212.110.209
  • 23.212.110.177
  • 23.212.110.179
  • 23.212.110.169
  • 23.212.110.176
  • 23.212.110.170
  • 23.212.110.136
  • 23.212.110.162
  • 23.212.110.137
  • 23.212.110.208
  • 23.212.110.161
  • 23.212.110.178
  • 23.212.110.154
  • 23.212.110.152
  • 23.212.110.218
  • 23.212.110.168
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.68
  • 40.126.31.67
  • 40.126.31.71
  • 20.190.159.2
  • 40.126.31.73
  • 40.126.31.69
  • 40.126.32.72
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.136
  • 20.190.160.14
  • 40.126.32.76
  • 20.190.160.22
whitelisted

Threats

PID
Process
Class
Message
7408
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
7408
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
7408
msedge.exe
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
7408
msedge.exe
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Process
Message
Spotify.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SpotifySetup.exe