6899dcdace56d06f5a14ff221c38a220b913f7a475a5ba9ed437cb513d28dec4

Analysis

max time kernel
75s
max time network
85s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
09/01/2024, 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

syncthing-1.27.2-setup.exe
Size

24.8MB
MD5

7f10a1db89c359ed97439a5e37fd88b9
SHA1

b70845d823a740285ccae34d88ad004422cdf38a
SHA256

6899dcdace56d06f5a14ff221c38a220b913f7a475a5ba9ed437cb513d28dec4
SHA512

9ab6bb213c3288c01dc9b5f3151860b3bf5ace44b10877679daf5d5a0cc203780450973d1a2a3ca959e41f972a028da93f718c5d5775762722c9ae381da95fea
SSDEEP

393216:rBzqFQkghoOCJewo9VtYbyNYEf5Ucy8b7g7p//J2gdJGVbuZzYi5L8TnvfJnHA8q:wFQZ0IVtYbGYEfG87g5zubudEnKBKE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5984	syncthing-1.27.2-setup.tmp
4188	syncthing.exe
4172	syncthing.exe

Loads dropped DLL 1 IoCs

pid	Process
5984	syncthing-1.27.2-setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	syncthing.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	syncthing.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	syncthing.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5984	syncthing-1.27.2-setup.tmp
5984	syncthing-1.27.2-setup.tmp
5008	msedge.exe
5008	msedge.exe
4580	msedge.exe
4580	msedge.exe
3488	msedge.exe
3488	msedge.exe
5368	identity_helper.exe
5368	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5984	syncthing-1.27.2-setup.tmp
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 5984	4324	syncthing-1.27.2-setup.exe	80
PID 4324 wrote to memory of 5984	4324	syncthing-1.27.2-setup.exe	80
PID 4324 wrote to memory of 5984	4324	syncthing-1.27.2-setup.exe	80
PID 5984 wrote to memory of 912	5984	syncthing-1.27.2-setup.tmp	82
PID 5984 wrote to memory of 912	5984	syncthing-1.27.2-setup.tmp	82
PID 5984 wrote to memory of 4180	5984	syncthing-1.27.2-setup.tmp	84
PID 5984 wrote to memory of 4180	5984	syncthing-1.27.2-setup.tmp	84
PID 4180 wrote to memory of 4856	4180	wscript.exe	85
PID 4180 wrote to memory of 4856	4180	wscript.exe	85
PID 5984 wrote to memory of 3028	5984	syncthing-1.27.2-setup.tmp	87
PID 5984 wrote to memory of 3028	5984	syncthing-1.27.2-setup.tmp	87
PID 5984 wrote to memory of 2672	5984	syncthing-1.27.2-setup.tmp	88
PID 5984 wrote to memory of 2672	5984	syncthing-1.27.2-setup.tmp	88
PID 5984 wrote to memory of 4284	5984	syncthing-1.27.2-setup.tmp	90
PID 5984 wrote to memory of 4284	5984	syncthing-1.27.2-setup.tmp	90
PID 4188 wrote to memory of 4172	4188	syncthing.exe	95
PID 4188 wrote to memory of 4172	4188	syncthing.exe	95
PID 5984 wrote to memory of 4416	5984	syncthing-1.27.2-setup.tmp	97
PID 5984 wrote to memory of 4416	5984	syncthing-1.27.2-setup.tmp	97
PID 4172 wrote to memory of 5920	4172	syncthing.exe	98
PID 4172 wrote to memory of 5920	4172	syncthing.exe	98
PID 5984 wrote to memory of 4580	5984	syncthing-1.27.2-setup.tmp	99
PID 5984 wrote to memory of 4580	5984	syncthing-1.27.2-setup.tmp	99
PID 4580 wrote to memory of 1636	4580	msedge.exe	100
PID 4580 wrote to memory of 1636	4580	msedge.exe	100
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101
PID 4580 wrote to memory of 908	4580	msedge.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\syncthing-1.27.2-setup.exe
"C:\Users\Admin\AppData\Local\Temp\syncthing-1.27.2-setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Local\Temp\is-S5VRQ.tmp\syncthing-1.27.2-setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S5VRQ.tmp\syncthing-1.27.2-setup.tmp" /SL5="$B0060,25115347,832512,C:\Users\Admin\AppData\Local\Temp\syncthing-1.27.2-setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5984
- - C:\Windows\system32\cscript.exe
    "C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Programs\Syncthing\SyncthingFirewallRule.js" /test
    3⤵
    PID:912
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Programs\Syncthing\SyncthingFirewallRule.js" /create
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Programs\Syncthing\SyncthingFirewallRule.js" /elevated /create
      4⤵
      PID:4856
- - C:\Windows\system32\cscript.exe
    "C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Programs\Syncthing\SyncthingLogonTask.js" /create /silent
    3⤵
    PID:3028
- - C:\Windows\system32\cscript.exe
    "C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Programs\Syncthing\SyncthingFirewallRule.js" /test
    3⤵
    PID:2672
- - C:\Windows\system32\cscript.exe
    "C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Programs\Syncthing\StartSyncthing.js" /silent
    3⤵
    PID:4284
- - C:\Windows\system32\cscript.exe
    "C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Programs\Syncthing\SetSyncthingConfig.js" /currentuser /autoupgradeinterval:12 /guiaddress:"127.0.0.1:8384" /relaysenabled:true
    3⤵
    PID:4416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://127.0.0.1:8384/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffddf2c3cb8,0x7ffddf2c3cc8,0x7ffddf2c3cd8
      4⤵
      PID:1636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,12416006570554641267,3148265194572608214,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:2
      4⤵
      PID:908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,12416006570554641267,3148265194572608214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,12416006570554641267,3148265194572608214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
      4⤵
      PID:1808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12416006570554641267,3148265194572608214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:1372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12416006570554641267,3148265194572608214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:5680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12416006570554641267,3148265194572608214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
      4⤵
      PID:2576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,12416006570554641267,3148265194572608214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3556 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12416006570554641267,3148265194572608214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
      4⤵
      PID:4688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12416006570554641267,3148265194572608214,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
      4⤵
      PID:5448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12416006570554641267,3148265194572608214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
      4⤵
      PID:4168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,12416006570554641267,3148265194572608214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12416006570554641267,3148265194572608214,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
      4⤵
      PID:2880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12416006570554641267,3148265194572608214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
      4⤵
      PID:3860

C:\Users\Admin\AppData\Local\Programs\Syncthing\syncthing.exe
"C:\Users\Admin\AppData\Local\Programs\Syncthing\syncthing.exe" --no-browser
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Users\Admin\AppData\Local\Programs\Syncthing\syncthing.exe
  C:\Users\Admin\AppData\Local\Programs\Syncthing\syncthing.exe --no-browser
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\system32\route.exe
    route print 0.0.0.0
    3⤵
    PID:5920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0307d75488a9def144d0373178e421da

SHA1
1e4351dd4a29b6340913848163b4df62628ad06c

SHA256
9e1bd506806510408dcb9d5e1eab6672d905780282361f2b9974ab9a9ed1ab9e

SHA512
993dbb0491352352ca89542922df735fc7b3cc0d14a4790f106c25ee9fd616d0722151d05e045ed5863e56b128c3308a561b958bbf5fe3bb87498e8a6d12a50b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
040069f4b6c193ec7877c79126498481

SHA1
25df14a1a55622af8aabe50058fd9dcad6c68c9e

SHA256
2c8157ab719a4c4c75a1ce40c0ae34fc9c24a3085582973d8fe4b77dba89d08d

SHA512
2022faea8e142c03e4647412ca53b63465a78cd9ada920a4f8d8d33a5d2d5ac707aca955527fd8cc7919471aaaca2cb81c37f29fd63c8d3184bd1fc16150cdd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
02e7627b19c07f1034e6d5b6ddbf22ea

SHA1
bf1b0b4ed37d3939efbae09815f519e96f9b9da1

SHA256
14172578118ee57a8bbc6d6933d653a05c112e81469959ed6bba54e44c505ce4

SHA512
a5af437c005264de60bd131478cd46f4e83506e7bfad6a8b7380a8445f9aa0a979ea4ad0f6590d530a6bb42d24f14392bc6996db76375150c76c499847aa7342

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
7df56618a27e4340c3fd432230f6cbee

SHA1
c9941a0bacea2db7d42339b37cbc00001a1365cc

SHA256
9eda63bda203058a565160d682ecaa1242651a3153614699949eacc14e3962dd

SHA512
83505613e1440e1a288668f99d776bc4e04038e11a07ec6135fc6aefbce68c9333084c720cceb21682286e36eb6f1a561878a9427db59d2157d7bd8cf78ca9be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
0ace84d2f56d99d6b3318537be8d125b

SHA1
7af20fccd1505637d77a87fec53a4fd8a6f4583b

SHA256
db39a394c432581c6cf5b2d164407cb27af4d998bdf437ca43be05714dd95aa6

SHA512
4317898393123fde58a8604cf19d1156c21e67af8fb152c05a41ac10ae6e26dfd88b856c058a64f57d47be023d7530980f7caeb359e7ffd60a59b83fb3ab0a2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
deaae27d2e8b659d7bb7858665e9450c

SHA1
5e7aeb8ad120b31a558c33702d6042c0968ef477

SHA256
33d5110b03742e6bf4e853e9a042d5b1a1083b974dc6b01bccc0dfb5bcdb5e01

SHA512
4cd6455207218fd1dda1719ae27ae440dd953b9088b38d674da60f721c5e9cd8549b5cee024fe99f3c7e799774bbd82b1afbcb2b59f994b5a70139d91e4bb942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4099141bc479b102e2f7d3a1417ef693

SHA1
78cf15e4c67221c0d5232290821226dc9160c9df

SHA256
2eb5d3ae2643ea8679d333aa71761155340720f219a4ba8a410136a2422e43b9

SHA512
87f5d85a6a1b55491a75b681e5f731f489c279caaf512a625a32d19c9c1a216e84c9f9ffa0e7399887659b65563ec02cd730a6b923c1bc6f5e14f12b90819888

Download Submit
C:\Users\Admin\AppData\Local\Programs\Syncthing\SetSyncthingConfig.js

Filesize
5KB

MD5
91bc7e2c13b3d0422585830e533d0d1c

SHA1
dee91ff4aa96eaeda38608b3a0191c8abc9013d1

SHA256
afcc420347b9113209ef260e7498bad66261b0c29b27eeb310d017531d01882e

SHA512
004f25aa70da05f0e62554f804bbf57971949730f4f58da4f8a1e7725cb5de8ede28491e74e9fc50261a03ab5d5f4fc9484b355cf5547f8b6a1ec8c9b1b547aa

Download Submit
C:\Users\Admin\AppData\Local\Programs\Syncthing\StartSyncthing.js

Filesize
2KB

MD5
35fd215889d5ab3a81a41ca28872f8f0

SHA1
e71ec5f9616d8b25d705660efaa02342b5cfabdd

SHA256
731f6b2d44fc213601aea537e5cd2f227943169a7f90e55ee7e372c055f6a1fa

SHA512
ed4a73290a714cfa2b1550e66f3d15b8cc1f6e3011ae3c16e5954b3644c5f6202b1aed12dcc171f07e811c65bd1c7922002e70c632c653e8b13bc3e558901164

Download Submit
C:\Users\Admin\AppData\Local\Programs\Syncthing\SyncthingFirewallRule.js

Filesize
6KB

MD5
c556461915105d0b7055da6076671d8d

SHA1
4a996b25b43bfc7ee1e52b7bb44b104853086150

SHA256
3b4138b9444ab56ca8b5d2db7a167bac30a887a50f7ad3e2967770bf8c0c35d1

SHA512
fc90cd8f981be353e9930eacf464b2bd71be59e6838e50e831b8b72a2adaf5b8770cf1362ddcdbc7d75a2ed04dabcb25547f52bd2874a169e1715f931a7dbd1a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Syncthing\SyncthingLogonTask.js

Filesize
5KB

MD5
aa817f43df1ef138df3b7475e70f9f72

SHA1
802737daaa11bcc2b580b92ac3169a93de120d13

SHA256
841365856d0bbf46e265ef94657040771e09e9e02d19700c8972ffe2fa8e7343

SHA512
a3060ef94105bfcf944628f15692bc0ef22bba1e288fe16c0e382d835eafc10fe4943266f5120c217dc7af351735ef5456edcad1712e7318968ec38a644bc921

Download Submit
C:\Users\Admin\AppData\Local\Programs\Syncthing\syncthing.exe

Filesize
4.9MB

MD5
fd34d95c6024727d6a164587dfe6c097

SHA1
31f0465e19058039a091a130d914a6ade2e21c03

SHA256
8ece160c707b818d5a668dfe13ec72c8687e016773e075046add72afa8afaf4a

SHA512
0ae31fd2a6a0ecc0f6ccb80fc33652cf254e75e455a29352c85710e7150149344fd485c601702fbc77f11bbe4bbdc820dd7d071fd282ba2267dbd2ef9f9dee4a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Syncthing\syncthing.exe

Filesize
4.9MB

MD5
55d0bfe9e78bc84e711d0e315b587a49

SHA1
616667ffb10692d35af923c8b8298193f437081a

SHA256
7224abca7b4f7296ad1029e68ff3b86ef58ab122ea51c8ddc611aaeb7fa0aaf6

SHA512
573c16163b089274ab123f7ce75002af59f4c4d3dd61bef988583b60a034003e8b9dff982432e2ace9e2018452dc21b0b5d09861e1f1ab2a771528efd5203d38

Download Submit
C:\Users\Admin\AppData\Local\Programs\Syncthing\syncthing.exe

Filesize
5.1MB

MD5
03c3d30955f61c4eeb4601edf6c2ebbb

SHA1
8814174f8bf8c97ad2fff94764c69fb407878e2d

SHA256
3d38d3f10888494adee3b83f6f4570fe6a015f95cf89787c7f82bb5c2a927393

SHA512
03a8a66d0427ebcad6a6cbe02fe7b1141b19a44d7a7ef955517adcaba284f70222f3cd7839c164a6db03498e9e9caae46422c72a694cd4e7f89afb39984dc9db

Download Submit
C:\Users\Admin\AppData\Local\Syncthing\.syncthing.tmp.642402502

Filesize
8KB

MD5
2033eb3e79ad6156082f2c6826ff7c68

SHA1
7c84e27e02382bfd5fed8f8cdaac286fa4a12a9c

SHA256
38c37353a0adc3f89a79210bdef7e8a9bfa43eb71d76942b1a372ef69a2ee6ad

SHA512
5f8831309983a14e8658ecec904447688fb42be4dc6ec92ceceeb75277f4df170f48622d129d2da9aafea73c04737af01fca93de478fcf7ce8b4aad40431c695

Download Submit
C:\Users\Admin\AppData\Local\Syncthing\config.xml

Filesize
7KB

MD5
eedc9b1bbdc5fea03e6bc8d9ac9bb5fd

SHA1
6b41b4bf6a5ee4b7016125c9c9227337ddfd49f4

SHA256
455102fa2871525d63753cc08e1b67f5f27f345a14fe68d24cfeb20808299b69

SHA512
a52e38de1e282c19f9e41bf45a078a74342f0647aef3534083a81a9517b609463450992ba1eba4e358c4d9b2f5b7ee36c95b929763a9fbb7b32cd83cef11d134

Download Submit
C:\Users\Admin\AppData\Local\Syncthing\config.xml

Filesize
8KB

MD5
936c76b6f6ca45b4ea1e738cc8d156e4

SHA1
0577e71f88e915441b3d33a625c81adedf6c7a62

SHA256
b924b5e9da29f2a0e709a57070e09046489f3b3adf79d6ea4b5dd4803c0b3328

SHA512
9e7d1e1106ea3545fc2a50b755b50b5adebd5788885bf08bb8634d1c0f12ad292e7e2cc338e21d1f6d4f88f9613c71b3b6f6f1d8347d2786501b8651cf1fad26

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9I7AA.tmp\UninsIS.dll

Filesize
50KB

MD5
dabfa796f4c8c931201670d8304eed12

SHA1
157e1a0720742b5658c1d32fcd972e751b60ff18

SHA256
a699468a284b24a4cf759a6fbc4efc15ff5a99b2242677c919d0479d6ae700ff

SHA512
ba7c1608984ca8e0d45cd1d893fd174b940866543869e3e582c00acf105a31a209951c8b6255f89d61b6ba112232191fcc424acc5756324ed550466717a11e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S5VRQ.tmp\syncthing-1.27.2-setup.tmp

Filesize
3.1MB

MD5
842b319b78df728bb347583c3976ec03

SHA1
324c592b099c6c42346d3b8920495b20f3b231f0

SHA256
ff73bcb70e29026c82b79d7c60a677bbd5dd65a2ad219e4ff1b0949103215087

SHA512
5949593bb2f93c73d38a0edd3fb5b2e5c2ca3536023558a26b5ae84c9989836043e411e599bbecae816736fb7978de72fcaa78cb9b54ef733df1d67a6701fa17

Download Submit
memory/4324-10-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4324-117-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4324-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5984-116-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5984-11-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5984-13-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5984-5-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/5984-45-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/5984-67-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download