File name:

sinashop - SPOTIFY.rar

Full analysis: https://app.any.run/tasks/2adb6d0d-3e15-4715-99c9-e3cea0d2d029
Verdict: Malicious activity
Analysis date: May 17, 2025, 19:10:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
github
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

32588B5DA33386D3084851E75E558685

SHA1:

885E6B759D40C61387AF2374DE851C1D2BE73F78

SHA256:

D1A63B0FA95CE8D2932AE90B335CB583BC2AF41F08EDFBA53F4D95E90C7F91FD

SSDEEP:

1536:XsO/HW0pIGLWdaVev33Kn+7/YqEf0UOM5CqJZFn0IqMW07vl0npM:XsAHPmGO7HRkJORQv0IqMT7N0pM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 1452)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5344)

  • SUSPICIOUS

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 6592)
      • cmd.exe (PID: 2656)
      • cmd.exe (PID: 5600)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 6592)
      • cmd.exe (PID: 2656)
      • cmd.exe (PID: 5600)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 5376)
      • powershell.exe (PID: 5228)
      • powershell.exe (PID: 3332)
      • powershell.exe (PID: 2240)

    • The process executes Powershell scripts

      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 6592)
      • cmd.exe (PID: 2656)
      • cmd.exe (PID: 5600)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 5376)
      • powershell.exe (PID: 5228)
      • powershell.exe (PID: 3332)
      • powershell.exe (PID: 2240)

    • Found IP address in command line

      • powershell.exe (PID: 5228)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 5116)
      • cmd.exe (PID: 6592)
      • cmd.exe (PID: 2692)
      • powershell.exe (PID: 5344)
      • cmd.exe (PID: 2656)
      • cmd.exe (PID: 5600)

    • Checks proxy server information

      • powershell.exe (PID: 5376)
      • powershell.exe (PID: 5228)
      • powershell.exe (PID: 3332)

    • Disables trace logs

      • powershell.exe (PID: 5376)
      • powershell.exe (PID: 5228)
      • powershell.exe (PID: 3332)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5376)
      • powershell.exe (PID: 5228)
      • powershell.exe (PID: 5344)
      • powershell.exe (PID: 3332)

    • Remote server returned an error (POWERSHELL)

      • powershell.exe (PID: 5376)
      • powershell.exe (PID: 3332)
      • powershell.exe (PID: 5228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 447
UncompressedSize: 666
OperatingSystem: Win32
ArchivedFileName: sinashop - SPOTIFY/sina - ancien version.bat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
22
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe no specs rundll32.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
728C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1452"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\sinashop - SPOTIFY.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1812C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\sinashop - SPOTIFY\sina - installation.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2240C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -Command [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12; $p='-confirm_uninstall_ms_spoti -confirm_spoti_recomended_over -podcasts_off -block_update_on -start_spoti -new_theme -adsections_off -lyrics_stat spotify'; """ & { $(try { iwr -useb 'https://raw.githubusercontent.com/SpotX-Official/spotx-official.github.io/main/run.ps1' } catch { $p+= ' -m'; iwr -useb 'https://spotx-official.github.io/run.ps1' })} $p """" | iexC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
2656C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\sinashop - SPOTIFY\sina - scripts\Install_Prem.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2692C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\sinashop - SPOTIFY\sina - désinstaller.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
3332C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -Command [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12; $p='-premium -new_theme'; """ & { $(try { iwr -useb 'https://raw.githubusercontent.com/SpotX-Official/spotx-official.github.io/main/run.ps1' } catch { $p+= ' -m'; iwr -useb 'https://spotx-official.github.io/run.ps1' })} $p """" | iexC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
4212\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4464\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
24 653
Read events
24 635
Write events
18
Delete events
0

Modification events

(PID) Process:(1452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\sinashop - SPOTIFY.rar
(PID) Process:(1452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(1452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
0
Suspicious files
6
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
1452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1452.37069\sinashop - SPOTIFY\sina - ancien version.battext
MD5:0B77A7604290D02B4AD8CA31D024F791
SHA256:F645C0E9C9DD665BCA8B85A1AB509AE436E539BBB0904246F25E8CB672BF2194
1452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1452.37069\sinashop - SPOTIFY\sina - scripts\installer-lang\cs.ps1text
MD5:72F10F452F0C8C3F1789CDAC458B226A
SHA256:339C37F025CAB7A38E4C8235712A8150B75E2DC27DD2F4AB8489AEFAED100742
1452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1452.37069\sinashop - SPOTIFY\sina - run.ps1text
MD5:9479BBC5A1A95778C5A0D3E34168C67D
SHA256:C649D5A22334BC75190F54C9FFD25B9177DEF3758592E366F449C844402B3693
1452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1452.37069\sinashop - SPOTIFY\sina - désinstaller.battext
MD5:B74FC1987D231FF335F8A82DAB4C040F
SHA256:98FE8B9857375588722D2D2A325AF6C998E8AD93F87EC84C2A409C21979D0210
1452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1452.37069\sinashop - SPOTIFY\sina - js-helper\sectionBlock.jstext
MD5:F3CEABB3DDBAA0982239327331D88D66
SHA256:A2F4905F689D52FA34DD7A2865E0A92E61C2C44DFC20872A76153D00EEEBE823
1452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1452.37069\sinashop - SPOTIFY\sina - scripts\installer-lang\de.ps1text
MD5:37D9C2056A081596DBB5E7CFD734F46D
SHA256:8182B81C54E43218EE107996794C7FE2BD7C17B38A08513F18FDAE7C3DCF428D
1452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1452.37069\sinashop - SPOTIFY\sina - patches\patches.jsonbinary
MD5:3929616CC97738D86BF8D0494FB42F70
SHA256:BBE9E8E609CC669BF08DAB5EB39532C68D59F643982048E899BDD4711C6D1934
1452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1452.37069\sinashop - SPOTIFY\sina - scripts\installer-lang\es.ps1text
MD5:0CE9E6A5B54994F0E51A4F1E8E5BE71C
SHA256:3CAF44D54D5B6381C66BA3D2CB3A6779DB575A4DD14A32FCE9870B3C40EE4FD0
1452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1452.37069\sinashop - SPOTIFY\sina - scripts\installer-lang\el.ps1text
MD5:B511C932A78E9D07A0E07D239CAE2D30
SHA256:796E6527F14BAAA39DDB4A4652A909FDE0C73F8B918B4A726C8E4CC305B1BADB
1452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1452.37069\sinashop - SPOTIFY\sina - scripts\installer-lang\en.ps1text
MD5:D67F569DA5C55D82AA66DDAA91E62E72
SHA256:E5FA948B37B2589912B80F1732385D0E677E15E0BCADE69ADCEF9C6547052C9C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
25
DNS requests
4
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5376
powershell.exe
185.199.111.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
5376
powershell.exe
185.199.109.153:443
spotx-official.github.io
FASTLY
US
shared
5228
powershell.exe
185.199.111.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
5228
powershell.exe
185.199.109.153:443
spotx-official.github.io
FASTLY
US
shared
3332
powershell.exe
185.199.111.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.78
whitelisted
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.110.133
whitelisted
spotx-official.github.io
  • 185.199.109.153
  • 185.199.108.153
  • 185.199.111.153
  • 185.199.110.153
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sinashop - SPOTIFY.rar