File name:

syncthing-windows-setup.exe

Full analysis: https://app.any.run/tasks/ad42db18-2bdc-4ce7-a51c-d1d52758a0d6
Verdict: Malicious activity
Analysis date: April 25, 2025, 12:54:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
inno
installer
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

747996791B111FB871C071D42B8C44C4

SHA1:

5126ED038464659E9EBBA809FD955C92C62DC377

SHA256:

2E01FA54CD7DE8E202504C9D7B497082AB778E47066F83B7D012F55CF33D42AC

SSDEEP:

98304:g6Gavik4aM9r/3g6K4ZQQPb5Ss0YXTvW6z18AXkqYqjYYC4iC7j1CI3sT/BtF0eW:aDloLdu3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Checks for elevated access (SCRIPT)

      • cscript.exe (PID: 5392)
      • wscript.exe (PID: 7036)
      • wscript.exe (PID: 4428)

    • Gets path to any of the special folders (SCRIPT)

      • wscript.exe (PID: 7036)

    • Gets security context of the user (SCRIPT)

      • cscript.exe (PID: 7152)

    • Gets context to execute command-line operations (SCRIPT)

      • cscript.exe (PID: 7152)

    • Access Task Scheduler's settings (SCRIPT)

      • cscript.exe (PID: 7152)

    • Creates a new scheduled task (SCRIPT)

      • cscript.exe (PID: 7152)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • syncthing-windows-setup.exe (PID: 2320)
      • syncthing-windows-setup.tmp (PID: 6032)
      • unzip.exe (PID: 536)

    • Reads the Windows owner or organization settings

      • syncthing-windows-setup.tmp (PID: 6032)

    • The process executes JS scripts

      • syncthing-windows-setup.tmp (PID: 6032)
      • wscript.exe (PID: 7036)

    • Accesses command line arguments (SCRIPT)

      • cscript.exe (PID: 5392)
      • wscript.exe (PID: 7036)
      • wscript.exe (PID: 4428)
      • cscript.exe (PID: 7152)
      • cscript.exe (PID: 5800)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 5392)
      • wscript.exe (PID: 7036)
      • wscript.exe (PID: 4428)
      • cscript.exe (PID: 7152)
      • cscript.exe (PID: 5800)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 5392)
      • wscript.exe (PID: 7036)
      • wscript.exe (PID: 4428)
      • cscript.exe (PID: 7152)
      • cscript.exe (PID: 5800)

    • Accesses commandline named arguments (SCRIPT)

      • cscript.exe (PID: 5392)
      • wscript.exe (PID: 7036)
      • wscript.exe (PID: 4428)
      • cscript.exe (PID: 7152)
      • cscript.exe (PID: 5800)

    • Gets name of the script (SCRIPT)

      • cscript.exe (PID: 5392)
      • wscript.exe (PID: 7036)
      • wscript.exe (PID: 4428)
      • cscript.exe (PID: 7152)
      • cscript.exe (PID: 5800)

    • Executes application which crashes

      • cscript.exe (PID: 5392)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 5280)

    • Application launched itself

      • wscript.exe (PID: 7036)
      • syncthing.exe (PID: 5428)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7036)
      • cscript.exe (PID: 5800)

    • Gets context to manipulate scheduled tasks (SCRIPT)

      • cscript.exe (PID: 7152)

    • Gets a folder of registered tasks (SCRIPT)

      • cscript.exe (PID: 7152)

    • Gets or sets the principal for the task (SCRIPT)

      • cscript.exe (PID: 7152)

    • Gets scheduled task context (SCRIPT)

      • cscript.exe (PID: 7152)

    • Accesses Scheduled Task settings (SCRIPT)

      • cscript.exe (PID: 7152)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 7152)

    • Accesses current user name via WMI (SCRIPT)

      • cscript.exe (PID: 7152)

    • Gets context to manipulate triggers of a scheduled task (SCRIPT)

      • cscript.exe (PID: 7152)

    • The process downloads a VBScript from the remote host

      • syncthing-windows-setup.tmp (PID: 6032)

    • Script creates XML DOM node (SCRIPT)

      • cscript.exe (PID: 5800)

    • Creates a Folder object (SCRIPT)

      • cscript.exe (PID: 5800)

    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 5800)

    • Sets XML DOM element text (SCRIPT)

      • cscript.exe (PID: 5800)

    • Uses ROUTE.EXE to obtain the routing table information

      • syncthing.exe (PID: 2064)

    • Connects to unusual port

      • syncthing.exe (PID: 2064)

    • Reads security settings of Internet Explorer

      • syncthing-windows-setup.tmp (PID: 6032)

  • INFO

    • Checks supported languages

      • syncthing-windows-setup.exe (PID: 2320)
      • syncthing-windows-setup.tmp (PID: 6032)
      • jq.exe (PID: 1764)
      • unzip.exe (PID: 1188)
      • unzip.exe (PID: 536)
      • syncthing.exe (PID: 2192)
      • stctl.exe (PID: 3888)
      • syncthing.exe (PID: 5428)
      • syncthing.exe (PID: 2064)

    • Create files in a temporary directory

      • syncthing-windows-setup.exe (PID: 2320)
      • syncthing-windows-setup.tmp (PID: 6032)

    • Reads the computer name

      • syncthing-windows-setup.tmp (PID: 6032)
      • syncthing.exe (PID: 2192)
      • syncthing.exe (PID: 5428)
      • syncthing.exe (PID: 2064)
      • identity_helper.exe (PID: 7736)

    • The sample compiled with english language support

      • syncthing-windows-setup.tmp (PID: 6032)

    • Checks proxy server information

      • syncthing-windows-setup.tmp (PID: 6032)

    • Reads the software policy settings

      • syncthing-windows-setup.tmp (PID: 6032)
      • syncthing.exe (PID: 2064)

    • Detects InnoSetup installer (YARA)

      • syncthing-windows-setup.exe (PID: 2320)
      • syncthing-windows-setup.tmp (PID: 6032)

    • Compiled with Borland Delphi (YARA)

      • syncthing-windows-setup.exe (PID: 2320)
      • syncthing-windows-setup.tmp (PID: 6032)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 5392)
      • cscript.exe (PID: 7152)
      • cscript.exe (PID: 5800)

    • SYNCTHING has been detected

      • syncthing-windows-setup.tmp (PID: 6032)
      • unzip.exe (PID: 536)

    • Creates files or folders in the user directory

      • syncthing-windows-setup.tmp (PID: 6032)
      • WerFault.exe (PID: 5280)
      • unzip.exe (PID: 536)
      • syncthing.exe (PID: 2192)
      • syncthing.exe (PID: 5428)
      • syncthing.exe (PID: 2064)

    • Creates a software uninstall entry

      • syncthing-windows-setup.tmp (PID: 6032)

    • Self-termination (SCRIPT)

      • wscript.exe (PID: 7036)
      • wscript.exe (PID: 4428)
      • cscript.exe (PID: 7152)
      • cscript.exe (PID: 5800)

    • Reads product name

      • syncthing.exe (PID: 2192)
      • syncthing.exe (PID: 5428)
      • syncthing.exe (PID: 2064)

    • Reads Environment values

      • syncthing.exe (PID: 2192)
      • syncthing.exe (PID: 5428)
      • syncthing.exe (PID: 2064)
      • identity_helper.exe (PID: 7736)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 6244)

    • Local mutex for internet shortcut management

      • syncthing-windows-setup.tmp (PID: 6032)

    • Application launched itself

      • msedge.exe (PID: 6668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:12 05:53:16+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 684032
InitializedDataSize: 159744
UninitializedDataSize: -
EntryPoint: 0xa7f98
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.29.0.0
ProductVersionNumber: 1.29.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Syncthing Foundation
FileDescription: Syncthing Setup
FileVersion: 1.29.0.0
LegalCopyright:
OriginalFileName:
ProductName: Syncthing
ProductVersion: 1.29.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
181
Monitored processes
49
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start syncthing-windows-setup.exe syncthing-windows-setup.tmp jq.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs unzip.exe no specs conhost.exe no specs cscript.exe conhost.exe no specs werfault.exe no specs wscript.exe no specs wscript.exe unzip.exe conhost.exe no specs cscript.exe no specs conhost.exe no specs cscript.exe no specs conhost.exe no specs syncthing.exe no specs conhost.exe no specs stctl.exe no specs syncthing.exe no specs conhost.exe no specs syncthing.exe route.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
536"C:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\unzip.exe" -jo -d "C:\Users\admin\AppData\Local\Programs\Syncthing" "C:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\syncthing-windows-amd64-v1.29.5.zip" */syncthing.exe */AUTHORS.txt */README.txt */LICENSE.txtC:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\unzip.exe
syncthing-windows-setup.tmp
User:
admin
Company:
Info-ZIP
Integrity Level:
MEDIUM
Description:
Info-ZIP's UnZip for Win32 console
Exit code:
0
Version:
6.0
Modules
Images
c:\users\admin\appdata\local\temp\is-vv3if.tmp\unzip.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
960\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2404 --field-trial-handle=2372,i,17275684206627168304,4454481290329455969,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1188"C:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\unzip.exe" -t "C:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\syncthing-windows-amd64-v1.29.5.zip" */syncthing.exe */AUTHORS.txt */README.txt */LICENSE.txtC:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\unzip.exesyncthing-windows-setup.tmp
User:
admin
Company:
Info-ZIP
Integrity Level:
MEDIUM
Description:
Info-ZIP's UnZip for Win32 console
Exit code:
0
Version:
6.0
Modules
Images
c:\users\admin\appdata\local\temp\is-vv3if.tmp\unzip.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1764"C:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\jq.exe" -r .name "C:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\is-1SL5F.json"C:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\jq.exesyncthing-windows-setup.tmp
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-vv3if.tmp\jq.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2064C:\Users\admin\AppData\Local\Programs\Syncthing\syncthing.exe --no-browserC:\Users\admin\AppData\Local\Programs\Syncthing\syncthing.exe
syncthing.exe
User:
admin
Company:
The Syncthing Authors
Integrity Level:
MEDIUM
Description:
Syncthing - Open Source Continuous File Synchronization
Version:
1.29.5
Modules
Images
c:\users\admin\appdata\local\programs\syncthing\syncthing.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
2140"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3728 --field-trial-handle=2372,i,17275684206627168304,4454481290329455969,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192"C:\Users\admin\AppData\Local\Programs\Syncthing\syncthing.exe" generate --skip-port-probing --home="C:\Users\admin\AppData\Local\Syncthing"C:\Users\admin\AppData\Local\Programs\Syncthing\syncthing.execscript.exe
User:
admin
Company:
The Syncthing Authors
Integrity Level:
MEDIUM
Description:
Syncthing - Open Source Continuous File Synchronization
Exit code:
0
Version:
1.29.5
Modules
Images
c:\users\admin\appdata\local\programs\syncthing\syncthing.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
Total events
16 482
Read events
16 437
Write events
45
Delete events
0

Modification events

(PID) Process:(6032) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.4.1
(PID) Process:(6032) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local\Programs\Syncthing
(PID) Process:(6032) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\Syncthing\
(PID) Process:(6032) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Syncthing
(PID) Process:(6032) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(6032) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Selected Tasks
Value:
startatlogon,startafterinstall
(PID) Process:(6032) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Deselected Tasks
Value:
startatlogon\acpoweronly,desktopicon
(PID) Process:(6032) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Language
Value:
en
(PID) Process:(6032) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:DisplayName
Value:
Syncthing (Current user)
(PID) Process:(6032) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Programs\Syncthing\syncthing.ico
Executable files
17
Suspicious files
195
Text files
59
Unknown types
0

Dropped files

PID
Process
Filename
Type
6032syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\UninsIS.dllexecutable
MD5:DABFA796F4C8C931201670D8304EED12
SHA256:A699468A284B24A4CF759A6FBC4EFC15FF5A99B2242677C919D0479D6AE700FF
6032syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
2320syncthing-windows-setup.exeC:\Users\admin\AppData\Local\Temp\is-2JJ5H.tmp\syncthing-windows-setup.tmpexecutable
MD5:5F075608A3C6F14CABE641F25BD821C8
SHA256:32144954F5F81310049C0CC7816F5ABAA27E1E6D35A5853DAA76BB5FEFA2F2D4
6032syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\ProcessCheck.dllexecutable
MD5:1BDA409A2AE39DAB683DCB12247EEE9E
SHA256:58C64F6246E94047C862FDEA273F297FFCE285523CA1D8B1D78E48096AFBF9CF
6032syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\unzip.exeexecutable
MD5:B9B6D58A1AA38DF2C0B753DF2C049BF6
SHA256:B4ABD97F03F0C8C4DE84F91315BBC5610FD51B926941EB39625ED27667D558E9
6032syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\jq.exeexecutable
MD5:336671437F8806FDD4E82BA63A9C0FFA
SHA256:E4EFDD6A2C463AE714ED98FD5E874FE834A3A2380E17885BD4CDA1C49E5166DF
6032syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\is-L66HO.tmpbinary
MD5:6BEBCE503D37B976A9D45F41B4FFC0A2
SHA256:FA354E9B35DD04DC34C311C34AFCA8BE612D980A985144C176F8A16FF67380AE
6032syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\License.rtftext
MD5:AF332F9C296C8FA5670734A786E2EBC7
SHA256:AA3117E64E1B5A7A57228F279C1B4A6DB58899057FAA8CC4F849BF3F384A966D
6032syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\syncthing-windows-amd64-v1.29.5.zipcompressed
MD5:712B5DDC435950E6F326EA28D92D6CC4
SHA256:5C7347C6C32B39654E9F60772135EEAA76438A9D627FFB0FB41FE15F8AECFD0D
6032syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-VV3IF.tmp\is-1SL5F.jsonbinary
MD5:6BEBCE503D37B976A9D45F41B4FFC0A2
SHA256:FA354E9B35DD04DC34C311C34AFCA8BE612D980A985144C176F8A16FF67380AE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
147
DNS requests
45
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
856
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
856
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6228
msedge.exe
GET
204
150.171.74.11:80
http://edge-http.microsoft.com/captiveportal/generate_204
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
72.246.169.155:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
72.246.169.155:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6032
syncthing-windows-setup.tmp
140.82.121.6:443
api.github.com
GITHUB
US
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
  • 23.53.40.202
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.microsoft.com
  • 72.246.169.155
  • 2.23.246.101
whitelisted
api.github.com
  • 140.82.121.6
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.131
  • 20.190.160.5
  • 20.190.160.17
  • 20.190.160.65
  • 20.190.160.2
  • 20.190.160.14
  • 20.190.160.130
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
github.com
  • 140.82.121.3
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (syncthing .net)
2064
syncthing.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (syncthing .net)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (syncthing .net)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (syncthing .net)
2064
syncthing.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (syncthing .net)
2064
syncthing.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (syncthing .net)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (syncthing .net)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (syncthing .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
syncthing-windows-setup.exe