File name:

syncthing-windows-setup.exe

Full analysis: https://app.any.run/tasks/c227829c-81ef-4c66-a616-485e6baed75e
Verdict: Malicious activity
Analysis date: December 28, 2024, 19:42:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

8C43F7254877E5EBFD306DE5BC3674B4

SHA1:

0C5B35F1E628AEC41F13A45B008F43507C57562C

SHA256:

C562ED75EAB95CF6756897D7D2A862AE640ED559E424B47375996456AD603A76

SSDEEP:

98304:mrq3BdwG+/DrBFTmVS+0/daCYPGsNjS8tG+AQxxtoQSfvwhED6YnPBqmTXcwGlyo:+pX6mpcMq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Checks for elevated access (SCRIPT)

      • cscript.exe (PID: 2676)
      • wscript.exe (PID: 5696)
      • wscript.exe (PID: 5556)

    • Gets path to any of the special folders (SCRIPT)

      • wscript.exe (PID: 5696)

    • Gets context to execute command-line operations (SCRIPT)

      • cscript.exe (PID: 5560)

    • Creates a new scheduled task (SCRIPT)

      • cscript.exe (PID: 5560)

    • Gets security context of the user (SCRIPT)

      • cscript.exe (PID: 5560)

    • Access Task Scheduler's settings (SCRIPT)

      • cscript.exe (PID: 5560)

    • Connects to the CnC server

      • syncthing.exe (PID: 2008)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • syncthing-windows-setup.tmp (PID: 2972)
      • syncthing-windows-setup.exe (PID: 3224)
      • unzip.exe (PID: 736)

    • Reads the Windows owner or organization settings

      • syncthing-windows-setup.tmp (PID: 2972)

    • The process executes JS scripts

      • syncthing-windows-setup.tmp (PID: 2972)
      • wscript.exe (PID: 5696)

    • Accesses command line arguments (SCRIPT)

      • cscript.exe (PID: 2676)
      • wscript.exe (PID: 5696)
      • wscript.exe (PID: 5556)
      • cscript.exe (PID: 5560)
      • cscript.exe (PID: 5980)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 2676)
      • wscript.exe (PID: 5696)
      • wscript.exe (PID: 5556)
      • cscript.exe (PID: 5560)
      • cscript.exe (PID: 5980)

    • Accesses commandline named arguments (SCRIPT)

      • cscript.exe (PID: 2676)
      • wscript.exe (PID: 5696)
      • wscript.exe (PID: 5556)
      • cscript.exe (PID: 5560)
      • cscript.exe (PID: 5980)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 2676)
      • wscript.exe (PID: 5696)
      • wscript.exe (PID: 5556)
      • cscript.exe (PID: 5560)
      • cscript.exe (PID: 5980)

    • Gets name of the script (SCRIPT)

      • cscript.exe (PID: 2676)
      • wscript.exe (PID: 5696)
      • wscript.exe (PID: 5556)
      • cscript.exe (PID: 5560)
      • cscript.exe (PID: 5980)

    • Executes application which crashes

      • cscript.exe (PID: 2676)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 2040)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5696)
      • cscript.exe (PID: 5980)

    • Application launched itself

      • wscript.exe (PID: 5696)
      • syncthing.exe (PID: 848)
      • syncthing.exe (PID: 3792)
      • syncthing.exe (PID: 1540)

    • Gets a folder of registered tasks (SCRIPT)

      • cscript.exe (PID: 5560)

    • Accesses current user name via WMI (SCRIPT)

      • cscript.exe (PID: 5560)

    • Accesses Scheduled Task settings (SCRIPT)

      • cscript.exe (PID: 5560)

    • Gets context to manipulate triggers of a scheduled task (SCRIPT)

      • cscript.exe (PID: 5560)

    • Gets or sets the principal for the task (SCRIPT)

      • cscript.exe (PID: 5560)

    • Gets context to manipulate scheduled tasks (SCRIPT)

      • cscript.exe (PID: 5560)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 5560)

    • The process downloads a VBScript from the remote host

      • syncthing-windows-setup.tmp (PID: 2972)

    • Script creates XML DOM node (SCRIPT)

      • cscript.exe (PID: 5980)

    • Gets scheduled task context (SCRIPT)

      • cscript.exe (PID: 5560)

    • Sets XML DOM element text (SCRIPT)

      • cscript.exe (PID: 5980)

    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 5980)

    • Creates a Folder object (SCRIPT)

      • cscript.exe (PID: 5980)

    • Uses ROUTE.EXE to obtain the routing table information

      • syncthing.exe (PID: 2008)

    • Connects to unusual port

      • syncthing.exe (PID: 2008)

  • INFO

    • Create files in a temporary directory

      • syncthing-windows-setup.exe (PID: 3224)
      • syncthing-windows-setup.tmp (PID: 2972)

    • Checks supported languages

      • syncthing-windows-setup.tmp (PID: 2972)
      • syncthing-windows-setup.exe (PID: 3224)
      • jq.exe (PID: 4540)
      • unzip.exe (PID: 1704)
      • unzip.exe (PID: 736)
      • syncthing.exe (PID: 4444)
      • syncthing.exe (PID: 848)
      • stctl.exe (PID: 2744)
      • syncthing.exe (PID: 2008)
      • syncthing.exe (PID: 3792)
      • syncthing.exe (PID: 3260)
      • syncthing.exe (PID: 876)
      • syncthing.exe (PID: 5920)
      • syncthing.exe (PID: 5788)
      • syncthing.exe (PID: 3040)
      • syncthing.exe (PID: 1540)
      • syncthing.exe (PID: 5496)
      • syncthing.exe (PID: 3172)

    • Reads the computer name

      • syncthing-windows-setup.tmp (PID: 2972)
      • syncthing.exe (PID: 848)
      • syncthing.exe (PID: 4444)
      • syncthing.exe (PID: 2008)
      • syncthing.exe (PID: 3792)
      • syncthing.exe (PID: 3260)
      • syncthing.exe (PID: 876)
      • syncthing.exe (PID: 5920)
      • syncthing.exe (PID: 5788)
      • syncthing.exe (PID: 1540)
      • syncthing.exe (PID: 5496)
      • syncthing.exe (PID: 3040)
      • syncthing.exe (PID: 3172)

    • Checks proxy server information

      • syncthing-windows-setup.tmp (PID: 2972)
      • WerFault.exe (PID: 2040)

    • The sample compiled with english language support

      • syncthing-windows-setup.tmp (PID: 2972)

    • Reads the software policy settings

      • syncthing-windows-setup.tmp (PID: 2972)
      • WerFault.exe (PID: 2040)
      • syncthing.exe (PID: 2008)

    • Reads the machine GUID from the registry

      • syncthing-windows-setup.tmp (PID: 2972)
      • syncthing.exe (PID: 2008)

    • Sends debugging messages

      • jq.exe (PID: 4540)

    • Creates files or folders in the user directory

      • syncthing-windows-setup.tmp (PID: 2972)
      • WerFault.exe (PID: 2040)
      • unzip.exe (PID: 736)
      • syncthing.exe (PID: 4444)
      • syncthing.exe (PID: 2008)

    • Creates a software uninstall entry

      • syncthing-windows-setup.tmp (PID: 2972)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 2676)
      • cscript.exe (PID: 5560)
      • cscript.exe (PID: 5980)
      • notepad.exe (PID: 4388)
      • notepad.exe (PID: 4912)
      • notepad.exe (PID: 6084)

    • Self-termination (SCRIPT)

      • wscript.exe (PID: 5696)
      • wscript.exe (PID: 5556)
      • cscript.exe (PID: 5560)
      • cscript.exe (PID: 5980)

    • The process uses the downloaded file

      • wscript.exe (PID: 5696)
      • cscript.exe (PID: 5980)

    • Reads product name

      • syncthing.exe (PID: 848)
      • syncthing.exe (PID: 4444)
      • syncthing.exe (PID: 2008)
      • syncthing.exe (PID: 3792)
      • syncthing.exe (PID: 5920)
      • syncthing.exe (PID: 3260)
      • syncthing.exe (PID: 876)
      • syncthing.exe (PID: 1540)
      • syncthing.exe (PID: 5788)
      • syncthing.exe (PID: 3172)
      • syncthing.exe (PID: 3040)
      • syncthing.exe (PID: 5496)

    • Reads Environment values

      • syncthing.exe (PID: 4444)
      • syncthing.exe (PID: 848)
      • syncthing.exe (PID: 2008)
      • syncthing.exe (PID: 3792)
      • syncthing.exe (PID: 5920)
      • syncthing.exe (PID: 3260)
      • syncthing.exe (PID: 876)
      • syncthing.exe (PID: 1540)
      • syncthing.exe (PID: 5788)
      • syncthing.exe (PID: 3040)
      • syncthing.exe (PID: 3172)
      • syncthing.exe (PID: 5496)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • syncthing.exe (PID: 2008)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • syncthing.exe (PID: 2008)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 1732)

    • Manual execution by a user

      • syncthing.exe (PID: 3792)
      • notepad.exe (PID: 4388)
      • notepad.exe (PID: 4912)
      • OpenWith.exe (PID: 4128)
      • OpenWith.exe (PID: 3208)
      • OpenWith.exe (PID: 5340)
      • OpenWith.exe (PID: 2744)
      • OpenWith.exe (PID: 2408)
      • notepad.exe (PID: 6084)
      • OpenWith.exe (PID: 4468)
      • syncthing.exe (PID: 1540)
      • OpenWith.exe (PID: 6060)
      • OpenWith.exe (PID: 3488)
      • OpenWith.exe (PID: 4056)
      • OpenWith.exe (PID: 3896)

    • Application based on Golang

      • syncthing.exe (PID: 848)
      • syncthing.exe (PID: 2008)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 4128)
      • OpenWith.exe (PID: 2744)
      • OpenWith.exe (PID: 3208)
      • OpenWith.exe (PID: 2408)
      • OpenWith.exe (PID: 5340)
      • OpenWith.exe (PID: 4468)
      • OpenWith.exe (PID: 3896)
      • OpenWith.exe (PID: 6060)
      • OpenWith.exe (PID: 4056)
      • OpenWith.exe (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 159744
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.28.0.0
ProductVersionNumber: 1.28.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Syncthing Foundation
FileDescription: Syncthing Setup
FileVersion: 1.28.0.0
LegalCopyright:
OriginalFileName:
ProductName: Syncthing
ProductVersion: 1.28.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
172
Monitored processes
49
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
start syncthing-windows-setup.exe syncthing-windows-setup.tmp jq.exe conhost.exe no specs unzip.exe no specs conhost.exe no specs cscript.exe conhost.exe no specs werfault.exe wscript.exe no specs wscript.exe unzip.exe conhost.exe no specs cscript.exe no specs conhost.exe no specs cscript.exe no specs conhost.exe no specs syncthing.exe no specs conhost.exe no specs stctl.exe no specs syncthing.exe no specs conhost.exe no specs syncthing.exe route.exe no specs syncthing.exe no specs conhost.exe no specs syncthing.exe no specs syncthing.exe no specs syncthing.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs syncthing.exe no specs conhost.exe no specs syncthing.exe no specs syncthing.exe no specs syncthing.exe no specs syncthing.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exejq.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736"C:\Users\admin\AppData\Local\Temp\is-AK758.tmp\unzip.exe" -jo -d "C:\Users\admin\AppData\Local\Programs\Syncthing" "C:\Users\admin\AppData\Local\Temp\is-AK758.tmp\syncthing-windows-amd64-v1.28.1.zip" */syncthing.exe */AUTHORS.txt */README.txt */LICENSE.txtC:\Users\admin\AppData\Local\Temp\is-AK758.tmp\unzip.exe
syncthing-windows-setup.tmp
User:
admin
Company:
Info-ZIP
Integrity Level:
MEDIUM
Description:
Info-ZIP's UnZip for Win32 console
Exit code:
0
Version:
6.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ak758.tmp\unzip.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
836\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesyncthing.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
848"C:\Users\admin\AppData\Local\Programs\Syncthing\syncthing.exe" --no-browserC:\Users\admin\AppData\Local\Programs\Syncthing\syncthing.exestctl.exe
User:
admin
Company:
The Syncthing Authors
Integrity Level:
MEDIUM
Description:
Syncthing - Open Source Continuous File Synchronization
Version:
1.28.1
Modules
Images
c:\users\admin\appdata\local\programs\syncthing\syncthing.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
876C:\Users\admin\Desktop\syncthing.exeC:\Users\admin\Desktop\syncthing.exesyncthing.exe
User:
admin
Company:
The Syncthing Authors
Integrity Level:
MEDIUM
Description:
Syncthing - Open Source Continuous File Synchronization
Exit code:
1
Version:
1.28.1
Modules
Images
c:\users\admin\desktop\syncthing.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
1348\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeunzip.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesyncthing.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1540"C:\Users\admin\Desktop\syncthing.exe" C:\Users\admin\Desktop\syncthing.exeexplorer.exe
User:
admin
Company:
The Syncthing Authors
Integrity Level:
MEDIUM
Description:
Syncthing - Open Source Continuous File Synchronization
Exit code:
1
Version:
1.28.1
Modules
Images
c:\users\admin\desktop\syncthing.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
c:\windows\system32\ws2_32.dll
1704"C:\Users\admin\AppData\Local\Temp\is-AK758.tmp\unzip.exe" -t "C:\Users\admin\AppData\Local\Temp\is-AK758.tmp\syncthing-windows-amd64-v1.28.1.zip" */syncthing.exe */AUTHORS.txt */README.txt */LICENSE.txtC:\Users\admin\AppData\Local\Temp\is-AK758.tmp\unzip.exesyncthing-windows-setup.tmp
User:
admin
Company:
Info-ZIP
Integrity Level:
MEDIUM
Description:
Info-ZIP's UnZip for Win32 console
Exit code:
0
Version:
6.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ak758.tmp\unzip.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1732route print 0.0.0.0C:\Windows\System32\ROUTE.EXEsyncthing.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\route.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
Total events
36 233
Read events
36 207
Write events
26
Delete events
0

Modification events

(PID) Process:(2972) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.3.3
(PID) Process:(2972) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local\Programs\Syncthing
(PID) Process:(2972) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\Syncthing\
(PID) Process:(2972) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Syncthing
(PID) Process:(2972) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(2972) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Selected Tasks
Value:
startatlogon,startafterinstall
(PID) Process:(2972) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Deselected Tasks
Value:
startatlogon\acpoweronly,desktopicon
(PID) Process:(2972) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:Inno Setup: Language
Value:
en
(PID) Process:(2972) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:DisplayName
Value:
Syncthing (Current user)
(PID) Process:(2972) syncthing-windows-setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EEA2B6F-FD76-47D7-B74C-03E14CF043F9}_is1
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Programs\Syncthing\syncthing.ico
Executable files
11
Suspicious files
14
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
2972syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-AK758.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
2972syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-AK758.tmp\ProcessCheck.dllexecutable
MD5:1BDA409A2AE39DAB683DCB12247EEE9E
SHA256:58C64F6246E94047C862FDEA273F297FFCE285523CA1D8B1D78E48096AFBF9CF
2972syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-AK758.tmp\unzip.exeexecutable
MD5:B9B6D58A1AA38DF2C0B753DF2C049BF6
SHA256:B4ABD97F03F0C8C4DE84F91315BBC5610FD51B926941EB39625ED27667D558E9
3224syncthing-windows-setup.exeC:\Users\admin\AppData\Local\Temp\is-RB5NA.tmp\syncthing-windows-setup.tmpexecutable
MD5:5CBF40E913075F67D89EF43F40BDC7ED
SHA256:DC0620B62E21DE5D38FFDC449531BA2965A6CA749DC45AF984FF56E1E82D3536
2972syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-AK758.tmp\jq.exeexecutable
MD5:336671437F8806FDD4E82BA63A9C0FFA
SHA256:E4EFDD6A2C463AE714ED98FD5E874FE834A3A2380E17885BD4CDA1C49E5166DF
2972syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-AK758.tmp\is-DI61F.tmpcompressed
MD5:52A59FF6B40B89102331877DC20C9920
SHA256:264976F5F6D01D321E2610CC6B18DC0000A524C3ECFD388F9EF7883E202E0A61
2972syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-AK758.tmp\UninsIS.dllexecutable
MD5:DABFA796F4C8C931201670D8304EED12
SHA256:A699468A284B24A4CF759A6FBC4EFC15FF5A99B2242677C919D0479D6AE700FF
2972syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-AK758.tmp\License.rtftext
MD5:AF332F9C296C8FA5670734A786E2EBC7
SHA256:AA3117E64E1B5A7A57228F279C1B4A6DB58899057FAA8CC4F849BF3F384A966D
2972syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-AK758.tmp\syncthing-windows-amd64-v1.28.1.zipcompressed
MD5:52A59FF6B40B89102331877DC20C9920
SHA256:264976F5F6D01D321E2610CC6B18DC0000A524C3ECFD388F9EF7883E202E0A61
2972syncthing-windows-setup.tmpC:\Users\admin\AppData\Local\Programs\Syncthing\is-2RQHH.tmptext
MD5:91BC7E2C13B3D0422585830E533D0D1C
SHA256:AFCC420347B9113209EF260E7498BAD66261B0C29B27EEB310D017531D01882E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
805
DNS requests
24
Threats
42

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2736
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2144
RUXIMICS.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2144
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2736
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
302
140.82.121.4:443
https://github.com/syncthing/syncthing/releases/download/v1.28.1/syncthing-windows-amd64-v1.28.1.zip
unknown
unknown
GET
200
51.159.86.208:443
https://upgrades.syncthing.net/meta.json
unknown
text
12.6 Kb
unknown
GET
200
51.159.86.208:443
https://relays.syncthing.net/endpoint
unknown
binary
49.4 Kb
malicious
POST
403
51.159.86.208:443
https://discovery-announce-v4.syncthing.net/v2/
unknown
text
10 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2736
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2144
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.168.100.255:138
whitelisted
2972
syncthing-windows-setup.tmp
140.82.121.5:443
api.github.com
GITHUB
US
whitelisted
2736
svchost.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2144
RUXIMICS.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.179
  • 104.126.37.137
  • 104.126.37.131
  • 104.126.37.123
  • 104.126.37.130
  • 104.126.37.186
  • 104.126.37.139
  • 104.126.37.136
whitelisted
google.com
  • 216.58.206.46
whitelisted
api.github.com
  • 140.82.121.5
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.147
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
github.com
  • 140.82.121.3
shared
objects.githubusercontent.com
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.109.133
shared
watson.events.data.microsoft.com
  • 20.189.173.22
whitelisted
upgrades.syncthing.net
  • 51.159.86.208
malicious

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO Commonly Actor Abused Online Service Domain (syncthing .net)
2008
syncthing.exe
Misc activity
ET INFO Commonly Actor Abused Online Service Domain (syncthing .net)
2192
svchost.exe
Misc activity
ET INFO Commonly Actor Abused Online Service Domain (syncthing .net)
2192
svchost.exe
Misc activity
ET INFO Commonly Actor Abused Online Service Domain (syncthing .net)
2008
syncthing.exe
Misc activity
ET INFO Commonly Actor Abused Online Service Domain (syncthing .net)
2008
syncthing.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 167
2008
syncthing.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 269
2008
syncthing.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 232
2008
syncthing.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 236
2008
syncthing.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 310
Process
Message
jq.exe
Invalid parameter passed to C runtime function.
jq.exe
Invalid parameter passed to C runtime function.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
syncthing-windows-setup.exe