File name:

syncthing-windows-setup.exe

Full analysis: https://app.any.run/tasks/98ed3947-e127-4548-824b-ef383684b615
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: June 25, 2025, 14:37:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
adware
innosetup
inno
installer
delphi
arch-exec
arch-doc
syncthing
rmm-tool
golang
pecompact
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

B52C5A4CB18A12477CFAA31DBD1C88CA

SHA1:

579D938EEDBB7F99E5151196E77405FCC7B1BE4B

SHA256:

3ECFAC6D2881EDA307FA37C1D24B3CC9F64F7928BAA6DB344891301162D4EA78

SSDEEP:

98304:ALVIF8P3n1BLHxtD59KEKjSvDkjSRa6V7eK7KXi0xp6RXxTPpvUZIIRPuJsfmgvT:0O1iDZOL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Checks for elevated access (SCRIPT)

      • wscript.exe (PID: 3756)
      • cscript.exe (PID: 3952)

    • Gets path to any of the special folders (SCRIPT)

      • wscript.exe (PID: 3756)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • syncthing-windows-setup.tmp (PID: 440)

    • Executable content was dropped or overwritten

      • syncthing-windows-setup.exe (PID: 6200)
      • syncthing-windows-setup.tmp (PID: 440)

    • The process executes JS scripts

      • syncthing-windows-setup.tmp (PID: 440)

    • Accesses command line arguments (SCRIPT)

      • cscript.exe (PID: 3952)
      • wscript.exe (PID: 3756)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 3952)
      • wscript.exe (PID: 3756)

    • Executes application which crashes

      • cscript.exe (PID: 3952)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 5628)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 3756)
      • cscript.exe (PID: 3952)

    • Accesses commandline named arguments (SCRIPT)

      • wscript.exe (PID: 3756)
      • cscript.exe (PID: 3952)

    • Gets name of the script (SCRIPT)

      • wscript.exe (PID: 3756)
      • cscript.exe (PID: 3952)

    • Application launched itself

      • syncthing.exe (PID: 188)

    • Uses ROUTE.EXE to obtain the routing table information

      • syncthing.exe (PID: 984)

    • Connects to unusual port

      • syncthing.exe (PID: 984)

    • Starts CMD.EXE for commands execution

      • syncthing.exe (PID: 984)

    • Connects to FTP

      • syncthing.exe (PID: 984)

  • INFO

    • Create files in a temporary directory

      • syncthing-windows-setup.exe (PID: 6200)
      • syncthing-windows-setup.tmp (PID: 440)

    • Checks supported languages

      • syncthing-windows-setup.exe (PID: 6200)
      • syncthing-windows-setup.tmp (PID: 440)
      • jq.exe (PID: 1208)
      • unzip.exe (PID: 7064)
      • syncthing.exe (PID: 984)
      • syncthing.exe (PID: 188)
      • identity_helper.exe (PID: 7480)

    • Reads Environment values

      • syncthing-windows-setup.tmp (PID: 440)
      • syncthing-windows-setup.exe (PID: 6200)
      • syncthing.exe (PID: 188)
      • syncthing.exe (PID: 984)
      • identity_helper.exe (PID: 7480)

    • Reads the computer name

      • syncthing-windows-setup.tmp (PID: 440)
      • syncthing.exe (PID: 188)
      • syncthing.exe (PID: 984)
      • identity_helper.exe (PID: 7480)

    • Checks proxy server information

      • syncthing-windows-setup.tmp (PID: 440)
      • WerFault.exe (PID: 5628)
      • slui.exe (PID: 6724)

    • The sample compiled with english language support

      • syncthing-windows-setup.tmp (PID: 440)

    • Creates files or folders in the user directory

      • syncthing-windows-setup.tmp (PID: 440)
      • WerFault.exe (PID: 5628)
      • syncthing.exe (PID: 188)
      • syncthing.exe (PID: 984)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 3952)
      • notepad.exe (PID: 2144)
      • notepad.exe (PID: 6940)
      • notepad.exe (PID: 5140)

    • Reads the machine GUID from the registry

      • syncthing-windows-setup.tmp (PID: 440)
      • syncthing.exe (PID: 984)

    • Reads the software policy settings

      • syncthing-windows-setup.tmp (PID: 440)
      • WerFault.exe (PID: 5628)
      • syncthing.exe (PID: 984)
      • slui.exe (PID: 6724)

    • Detects InnoSetup installer (YARA)

      • syncthing-windows-setup.tmp (PID: 440)
      • syncthing-windows-setup.exe (PID: 6200)

    • Compiled with Borland Delphi (YARA)

      • syncthing-windows-setup.tmp (PID: 440)
      • syncthing-windows-setup.exe (PID: 6200)

    • SYNCTHING has been detected

      • syncthing-windows-setup.tmp (PID: 440)
      • syncthing.exe (PID: 984)

    • Creates a software uninstall entry

      • syncthing-windows-setup.tmp (PID: 440)

    • Manual execution by a user

      • notepad.exe (PID: 5140)
      • syncthing.exe (PID: 188)
      • notepad.exe (PID: 2144)
      • notepad.exe (PID: 6940)
      • OpenWith.exe (PID: 7880)
      • OpenWith.exe (PID: 8024)
      • OpenWith.exe (PID: 7952)

    • Reads product name

      • syncthing.exe (PID: 188)
      • syncthing.exe (PID: 984)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • syncthing.exe (PID: 984)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 1800)

    • Application launched itself

      • msedge.exe (PID: 5104)
      • msedge.exe (PID: 4312)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 7880)
      • OpenWith.exe (PID: 7952)
      • OpenWith.exe (PID: 8024)

    • PECompact has been detected (YARA)

      • syncthing.exe (PID: 188)

    • Application based on Golang

      • syncthing.exe (PID: 188)

    • Detects GO elliptic curve encryption (YARA)

      • syncthing.exe (PID: 188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:03 14:45:36+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 704512
InitializedDataSize: 162304
UninitializedDataSize: -
EntryPoint: 0xacfe0
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.29.1.0
ProductVersionNumber: 1.29.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Syncthing Foundation
FileDescription: Syncthing Setup
FileVersion: 1.29.1.0
LegalCopyright:
OriginalFileName:
ProductName: Syncthing
ProductVersion: 1.29.1.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
188
Monitored processes
47
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start syncthing-windows-setup.exe syncthing-windows-setup.tmp jq.exe conhost.exe no specs unzip.exe no specs conhost.exe no specs cscript.exe conhost.exe no specs werfault.exe wscript.exe no specs notepad.exe no specs syncthing.exe no specs conhost.exe no specs notepad.exe no specs syncthing.exe notepad.exe no specs cmd.exe no specs route.exe no specs msedge.exe no specs msedge.exe slui.exe rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Users\admin\Desktop\syncthing.exe" C:\Users\admin\Desktop\syncthing.exeexplorer.exe
User:
admin
Company:
The Syncthing Authors
Integrity Level:
MEDIUM
Description:
Syncthing - Open Source Continuous File Synchronization
Version:
1.29.7
Modules
Images
c:\users\admin\desktop\syncthing.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
440"C:\Users\admin\AppData\Local\Temp\is-SC1LJ.tmp\syncthing-windows-setup.tmp" /SL5="$A023C,3099047,867840,C:\Users\admin\Desktop\syncthing-windows-setup.exe" C:\Users\admin\AppData\Local\Temp\is-SC1LJ.tmp\syncthing-windows-setup.tmp
syncthing-windows-setup.exe
User:
admin
Company:
Syncthing Foundation
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-sc1lj.tmp\syncthing-windows-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
984C:\Users\admin\Desktop\syncthing.exeC:\Users\admin\Desktop\syncthing.exe
syncthing.exe
User:
admin
Company:
The Syncthing Authors
Integrity Level:
MEDIUM
Description:
Syncthing - Open Source Continuous File Synchronization
Version:
1.29.7
Modules
Images
c:\users\admin\desktop\syncthing.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
1208"C:\Users\admin\AppData\Local\Temp\is-3Q128.tmp\jq.exe" -r .name "C:\Users\admin\AppData\Local\Temp\is-3Q128.tmp\is-30QTD.json"C:\Users\admin\AppData\Local\Temp\is-3Q128.tmp\jq.exe
syncthing-windows-setup.tmp
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-3q128.tmp\jq.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1328"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=2060,i,10675923132729757205,14846636300465942156,262144 --variations-seed-version --mojo-platform-channel-handle=4900 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1800route print 0.0.0.0C:\Windows\System32\ROUTE.EXEsyncthing.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\route.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
2140"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6160,i,10675923132729757205,14846636300465942156,262144 --variations-seed-version --mojo-platform-channel-handle=6188 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
2144"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\LICENSE.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2280"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2200,i,10675923132729757205,14846636300465942156,262144 --variations-seed-version --mojo-platform-channel-handle=3328 /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
32 537
Read events
32 492
Write events
45
Delete events
0

Modification events

(PID) Process:(440) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.4.3
(PID) Process:(440) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local\Programs\Syncthing
(PID) Process:(440) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\Syncthing\
(PID) Process:(440) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Syncthing
(PID) Process:(440) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(440) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Selected Tasks
Value:
startatlogon,startafterinstall
(PID) Process:(440) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Deselected Tasks
Value:
startatlogon\acpoweronly,desktopicon
(PID) Process:(440) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Language
Value:
en
(PID) Process:(440) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:DisplayName
Value:
Syncthing (Current user)
(PID) Process:(440) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Programs\Syncthing\syncthing.ico
Executable files
10
Suspicious files
107
Text files
69
Unknown types
34

Dropped files

PID
Process
Filename
Type
440syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-3Q128.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
440syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Programs\Syncthing\is-BUSUR.tmptext
MD5:EC8442F231D198AB7FAD45381C264615
SHA256:21C6E435B90EE5E9A554D44A372595D672D3D6347A4A1D9F4D26C795BB47F2B4
440syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-3Q128.tmp\UninsIS.dllexecutable
MD5:12A6A2745E727B3FD5687A053CA9D25E
SHA256:5242B874044091EB29CBA5ADFC58E1B98A7E18FA0D2918A3BEF673C8E80DE2C3
440syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-3Q128.tmp\ProcessCheck.dllexecutable
MD5:1BDA409A2AE39DAB683DCB12247EEE9E
SHA256:58C64F6246E94047C862FDEA273F297FFCE285523CA1D8B1D78E48096AFBF9CF
440syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-3Q128.tmp\is-BNUMG.tmpbinary
MD5:8FDD0EA628A9ECF3482635119C7CEA17
SHA256:EF214F62B6513469C9D68D7FFE6E00860356F3231DC4E714B32D43A91DE9A259
440syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Programs\Syncthing\is-ON2I5.tmptext
MD5:5135571C1310386CBCB23C74D98D0E33
SHA256:229E4F4D2BCC07AAD0C2E0730432264ED8A5D253C213C22D34BEE66A5827BEF0
440syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-3Q128.tmp\unzip.exeexecutable
MD5:B9B6D58A1AA38DF2C0B753DF2C049BF6
SHA256:B4ABD97F03F0C8C4DE84F91315BBC5610FD51B926941EB39625ED27667D558E9
440syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Programs\Syncthing\SyncthingFirewallRule.jstext
MD5:EC8442F231D198AB7FAD45381C264615
SHA256:21C6E435B90EE5E9A554D44A372595D672D3D6347A4A1D9F4D26C795BB47F2B4
440syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Programs\Syncthing\is-EKLCJ.tmptext
MD5:F876A6833E4ABB2E11D5D442CF82243D
SHA256:14E7387DD0CCC32B70AE47CCB16D9FAAB3D914ED6CF29B8D49D99A04B9739B21
440syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-3Q128.tmp\syncthing-windows-amd64-v1.29.7.zipcompressed
MD5:E6F9E498F75C7F5B66696DFE5114DCA9
SHA256:C013076619B9BFE451B3D600BA256AC4E6AFEE25CBFCE244A68155E805BE854F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
78
TCP/UDP connections
210
DNS requests
77
Threats
144

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
140.82.121.6:443
https://api.github.com/repos/syncthing/syncthing/releases/latest
unknown
binary
95.0 Kb
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1936
RUXIMICS.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1936
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.131:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.159.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
40.126.31.1:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1936
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
440
syncthing-windows-setup.tmp
140.82.121.6:443
api.github.com
GITHUB
US
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1936
RUXIMICS.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
api.github.com
  • 140.82.121.6
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.4
  • 20.190.159.0
  • 40.126.31.130
  • 20.190.159.128
  • 40.126.31.69
  • 20.190.159.75
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
github.com
  • 140.82.121.4
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
objects.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.109.133
whitelisted

Threats

PID
Process
Class
Message
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
2200
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (syncthing .net)
Process
Message
jq.exe
Invalid parameter passed to C runtime function.
jq.exe
Invalid parameter passed to C runtime function.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
syncthing-windows-setup.exe