File name:

Bully.exe

Full analysis: https://app.any.run/tasks/6c3e2ea7-c23f-4fb2-aa55-b2485f8888af
Verdict: Malicious activity
Analysis date: January 16, 2024, 00:50:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E8E22D8429AEC80249643BFB7644DC4F

SHA1:

C746EE7A474A0188CE40FAA8ECF6C768B4D25E6F

SHA256:

2D7B7B5162BD74990735BAA43F2A4889DAC98180C41FD8255ACBCA0ECE9B5C43

SSDEEP:

98304:ir7ayGJ6kHOSktuRBrsr/za8sa982nk1Gn0AnFIyNt085fNjv/5BStI4Rf+D5lyA:lTx+7SWTB6A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Bully.exe (PID: 128)

    • Connects to the CnC server

      • Synaptics.exe (PID: 1792)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Bully.exe (PID: 128)
      • Synaptics.exe (PID: 1792)
      • Bully.exe (PID: 2588)

    • Executable content was dropped or overwritten

      • Bully.exe (PID: 128)

    • Reads settings of System Certificates

      • Synaptics.exe (PID: 1792)

    • Checks Windows Trust Settings

      • Synaptics.exe (PID: 1792)

    • Reads security settings of Internet Explorer

      • Synaptics.exe (PID: 1792)

  • INFO

    • Checks supported languages

      • Bully.exe (PID: 128)
      • Synaptics.exe (PID: 1792)
      • Bully.exe (PID: 2588)

    • Reads the computer name

      • Bully.exe (PID: 128)
      • Synaptics.exe (PID: 1792)
      • Bully.exe (PID: 2588)

    • Creates files in the program directory

      • Bully.exe (PID: 128)
      • Synaptics.exe (PID: 1792)

    • Reads the machine GUID from the registry

      • Bully.exe (PID: 128)
      • Synaptics.exe (PID: 1792)
      • Bully.exe (PID: 2588)

    • Checks proxy server information

      • Synaptics.exe (PID: 1792)

    • Manual execution by a user

      • Bully.exe (PID: 2588)

    • Creates files or folders in the user directory

      • Synaptics.exe (PID: 1792)

    • Create files in a temporary directory

      • Synaptics.exe (PID: 1792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (90.9)
.exe | Win32 EXE PECompact compressed (generic) (5.6)
.exe | Win32 Executable Delphi generic (1.9)
.exe | Win32 Executable (generic) (0.6)
.exe | Win16/32 Executable Delphi generic (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 629760
InitializedDataSize: 8345088
UninitializedDataSize: -
EntryPoint: 0x9ab80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.4
ProductVersionNumber: 1.0.0.4
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Turkish
CharacterSet: Windows, Turkish
CompanyName: Synaptics
FileDescription: Synaptics Pointing Device Driver
FileVersion: 1.0.0.4
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: Synaptics Pointing Device Driver
ProductVersion: 1.0.0.0
Comments: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bully.exe ._cache_bully.exe no specs synaptics.exe bully.exe ._cache_bully.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Users\admin\Desktop\Bully.exe" C:\Users\admin\Desktop\Bully.exe
explorer.exe
User:
admin
Company:
Synaptics
Integrity Level:
MEDIUM
Description:
Synaptics Pointing Device Driver
Exit code:
0
Version:
1.0.0.4
Modules
Images
c:\users\admin\desktop\bully.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1036"C:\Users\admin\Desktop\._cache_Bully.exe" C:\Users\admin\Desktop\._cache_Bully.exeBully.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3222601730
Modules
Images
c:\users\admin\desktop\._cache_bully.exe
c:\windows\system32\ntdll.dll
1404"C:\Users\admin\Desktop\._cache_Bully.exe" C:\Users\admin\Desktop\._cache_Bully.exeBully.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3222601730
Modules
Images
c:\users\admin\desktop\._cache_bully.exe
c:\windows\system32\ntdll.dll
1792"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateC:\ProgramData\Synaptics\Synaptics.exe
Bully.exe
User:
admin
Company:
Synaptics
Integrity Level:
HIGH
Description:
Synaptics Pointing Device Driver
Exit code:
0
Version:
1.0.0.4
Modules
Images
c:\programdata\synaptics\synaptics.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2588"C:\Users\admin\Desktop\Bully.exe" C:\Users\admin\Desktop\Bully.exe
explorer.exe
User:
admin
Company:
Synaptics
Integrity Level:
HIGH
Description:
Synaptics Pointing Device Driver
Exit code:
0
Version:
1.0.0.4
Modules
Images
c:\users\admin\desktop\bully.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
6 603
Read events
6 450
Write events
153
Delete events
0

Modification events

(PID) Process:(128) Bully.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(128) Bully.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(128) Bully.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(128) Bully.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(128) Bully.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1792) Synaptics.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1792) Synaptics.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1792) Synaptics.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1792) Synaptics.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1792) Synaptics.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
4
Suspicious files
10
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
128Bully.exeC:\ProgramData\Synaptics\RCX441.tmpexecutable
MD5:31E524FEE4A936939916AF7E2CC22196
SHA256:B41C9FD8F689D49580A80B0E821A29AD5E29456FAE9384C11A4DAF97DCF08EF2
1792Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
1792Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_ACE741CAE478F9E8195FFCECA66B0544binary
MD5:E53071217F4AAE9ED9BA9008738B0E29
SHA256:1556037EFB0FBD9BD04AFC8F1FC61882C6FBD8A6082CF811DF9D7F65755BDE79
1792Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:AC89A852C2AAA3D389B2D2DD312AD367
SHA256:0B720E19270C672F9B6E0EC40B468AC49376807DE08A814573FE038779534F45
1792Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:C270B66915DC2B5AF3921F1E74DB53D4
SHA256:E4EDC1E897FC0E32ED7141CF43E7371B965B82BC846D413E7E8EEC3EDCD95E0B
1792Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_921F9AECB814BEF93626AE98C6136F17binary
MD5:7546A687CD6ACAB4E3972E6EFCD4BCDC
SHA256:58FEDDAE3CACEB7306EECF210192E1C84E1352FFE3DA4F3CF9CFDCC36D2F52C3
1792Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_ACE741CAE478F9E8195FFCECA66B0544binary
MD5:DAFE2402B247CED4264F71D7F09755C7
SHA256:BA955FD1AB377ED6B8C3962A0A761B2BC14E648B0A7BE6DB93D7DF1C85D5E330
1792Synaptics.exeC:\Users\admin\AppData\Local\Temp\K3Ylmbm.inihtml
MD5:F1D7974261C7B7DDF1AE58A70C12311F
SHA256:79743BA68034BA3474308DE7C2E700095B627815F16E749569E0099E0AFA58EC
1792Synaptics.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\NP3Y72SW.txttext
MD5:FAB7E287EAD4856F0DFB770FCC19F894
SHA256:D32B3E36D1B28EC7D72AE1F1F122FBA66125ED24C7006C47421EE04D45A0F9B7
1792Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_921F9AECB814BEF93626AE98C6136F17binary
MD5:9F39BEE5328B70C5EF8E7D8755B5F424
SHA256:53EA2F5B650ADEFF0306AD6570E58809AE18C54031526A4FB56E4112324E9BB1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
10
DNS requests
6
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1792
Synaptics.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8b3221e4b66ea220
unknown
compressed
4.66 Kb
unknown
1792
Synaptics.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
1792
Synaptics.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCc21SZGmxMgAqM79mihzX3
unknown
binary
472 b
unknown
1792
Synaptics.exe
GET
200
174.128.246.100:80
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
unknown
text
31 b
unknown
1792
Synaptics.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
1792
Synaptics.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEEkmJh4vi%2F2BCV%2F%2FttUhx%2BQ%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1792
Synaptics.exe
174.128.246.100:80
freedns.afraid.org
ST-BGP
US
unknown
1792
Synaptics.exe
142.250.74.206:443
docs.google.com
GOOGLE
US
whitelisted
1792
Synaptics.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1792
Synaptics.exe
142.250.185.195:80
ocsp.pki.goog
GOOGLE
US
whitelisted
1792
Synaptics.exe
216.58.206.33:443
drive.usercontent.google.com
GOOGLE
US
unknown

DNS requests

Domain
IP
Reputation
xred.mooo.com
unknown
freedns.afraid.org
  • 174.128.246.100
whitelisted
docs.google.com
  • 142.250.74.206
shared
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.pki.goog
  • 142.250.185.195
whitelisted
drive.usercontent.google.com
  • 216.58.206.33
unknown

Threats

PID
Process
Class
Message
1080
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Bully.exe