File name:	778e7627cb60bdbee67442429cb48e64674aea2cbce12683803e9415f4ea7fa6
Full analysis:	https://app.any.run/tasks/9a54f967-f4c0-4cb4-a076-91161ba498cd
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. XRed operates as a stealthy backdoor, enabling cybercriminals to gain unauthorized remote access to infected systems. XRed has gained particular notoriety for its distribution through trojanized legitimate software and hardware drivers, making it exceptionally dangerous due to its ability to masquerade as trusted applications. Malware Trends Tracker >>>
Analysis date:	May 25, 2025, 16:40:24
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	macros macros-on-open arch-exec xred backdoor auto-reg delphi dyndns snake keylogger
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	3768CB1B399BB6C41DCE2FE518A23A03
SHA1:	2E3ED35B9286AFA3CB69D55EE14FD6122ADBCF42
SHA256:	778E7627CB60BDBEE67442429CB48E64674AEA2CBCE12683803E9415F4EA7FA6
SSDEEP:	12288:S8W4d9EWfLU3oMh7LfydJqqqOpeTJdzAmr2YWM3FLA7XCj9bP0Qb5:Syd9LDyoMh7LfydJqupeTJZAmr2C3FLv

.xlsm	\|	Excel Microsoft Office Open XML Format document (with Macro) (50.8)
.xlsx	\|	Excel Microsoft Office Open XML Format document (30)
.zip	\|	Open Packaging Conventions container (15.4)
.zip	\|	ZIP compressed archive (3.5)

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2023:09:24 12:52:54
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	WS/


(PID) Process:	(5972) Synaptics.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Synaptics Pointing Device Driver
Value: C:\ProgramData\Synaptics\Synaptics.exe
(PID) Process:	(5972) Synaptics.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(5972) Synaptics.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CA8C000000
(PID) Process:	(5972) Synaptics.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000010901EF8A46ECE11A7FF00AA003CA9F648010000
(PID) Process:	(896) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	1
Value: 01D014000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:	(896) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
Operation:	write	Name:	SessionId
Value: 1FE77B9198104D4A9B67C35603861E62
(PID) Process:	(896) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\896
Operation:	write	Name:	0
Value: 0B0E109DB094EBA317984392F39DA60BB67D48230046BFBADBA6BCB2F3ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C5118007D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(896) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(896) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(896) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2

PID	Process	Filename		Type
6372	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		binary
		MD5:E572563487CEA7892CE80FC2449DE8AA	SHA256:5A5EFF4DF61FC65D8BC626E35F2840B832453AE146AEAC9653E2BF4332DAB0C1
6372	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\likelywell.rtf.LNK		binary
		MD5:4625B97B057B05DA910F64C1D94E129E	SHA256:697BB681D595621A79488102CA442C0DAA909FC3800DDDEAB2E90EBA03A0DBFD
6372	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex		text
		MD5:F3B25701FE362EC84616A93A45CE9998	SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
896	EXCEL.EXE	C:\Users\admin\Desktop\~$778e7627cb60bdbee67442429cb48e64674aea2cbce12683803e9415f4ea7fa6.xlsm		binary
		MD5:21E5D64E6DD2C94C577A61B0A25DE7A4	SHA256:657F0604A7C1F6CFDC4E8A224F59BD6E1900A4A4DD8B3F61A20F67DEBE41F209
6372	WINWORD.EXE	C:\Users\admin\Documents\~$kelywell.rtf		binary
		MD5:4FBCA4617F4D9D3A24DA826E370EF410	SHA256:939DDAA8A6EBED8C2EA6D6F9374421C997B5D687AF604A905F47ECD60DBB7FE5
6372	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json		binary
		MD5:9E7E4E66353D118EDF450DCA89BC35F3	SHA256:7BA8424C869A7459826DEE95163895B2EAC18084F18D010FBE9FF7BFF57A8233
6372	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json.tmp		binary
		MD5:9E7E4E66353D118EDF450DCA89BC35F3	SHA256:7BA8424C869A7459826DEE95163895B2EAC18084F18D010FBE9FF7BFF57A8233
896	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D291C903-A53C-421F-8ECC-0A0655E7BD29		xml
		MD5:15C9679E1010B65ED606730F14AF5B8C	SHA256:A2AD872E1F01FF1261CDD68A87896D9C98F7613C153969937EF84B628AB88F5C
6372	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_41.ttf		binary
		MD5:A807151D5747F6460143DC1FD2C3195F	SHA256:C0C3B354480E34CCC0C25D371B30D0272DB86C786AF6438C217998B0A30E5EB0
5972	Synaptics.exe	C:\ProgramData\Synaptics\Synaptics.exe		executable
		MD5:387F4BE9B8636BC1859EEDF192F680F9	SHA256:5D8022DAA6751BDCDEB97D11166186C9D7BB2ED463EAF5307058E632C7DC7ABC

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7856	RUXIMICS.exe	GET	200	23.216.77.7:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7856	RUXIMICS.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
660	Synaptics.exe	GET	200	69.42.215.252:80	http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	unknown	—	—	whitelisted
—	—	GET	200	52.109.28.46:443	https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3	unknown	xml	179 Kb	whitelisted
—	—	GET	200	52.123.129.14:443	https://ecs.office.com/config/v2/Office/excel/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=excel.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bEB94B09D-17A3-4398-92F3-9DA60BB67D48%7d&LabMachine=false	unknown	binary	388 Kb	whitelisted
—	—	GET	200	52.109.76.240:443	https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3	unknown	xml	179 Kb	whitelisted
—	—	POST	200	13.107.6.156:443	https://roaming.officeapps.live.com/rs/RoamingSoapService.svc	unknown	text	654 b	whitelisted
—	—	GET	200	23.50.131.74:443	https://omex.cdn.office.net/addinclassifier/officesharedentities	unknown	text	314 Kb	whitelisted
—	—	GET	200	52.123.128.14:443	https://ecs.office.com/config/v2/Office/word/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b257FB418-5F3E-47AE-809D-3A180B836A4B%7d&LabMachine=false	unknown	binary	397 Kb	whitelisted
—	—	GET	200	23.212.222.21:443	https://fs.microsoft.com/fs/4.41/flatFontAssets.pkg	unknown	compressed	496 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
7856	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7856	RUXIMICS.exe	23.216.77.7:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7856	RUXIMICS.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
660	Synaptics.exe	69.42.215.252:80	freedns.afraid.org	AWKNET	US	whitelisted
2196	svchost.exe	224.0.0.251:5353	—	—	—	unknown
2196	svchost.exe	224.0.0.252:5355	—	—	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	23.216.77.7 23.216.77.20 23.216.77.38 23.216.77.18 23.216.77.19 23.216.77.16 23.216.77.13 23.216.77.41 23.216.77.5 23.216.77.22 23.216.77.21 23.216.77.27 23.216.77.23 23.216.77.25 23.216.77.11	whitelisted
www.microsoft.com	23.52.120.96	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
xred.mooo.com	—	whitelisted
freedns.afraid.org	69.42.215.252	whitelisted
officeclient.microsoft.com	52.109.89.18	whitelisted
ecs.office.com	52.123.128.14 52.123.129.14	whitelisted
roaming.officeapps.live.com	52.109.76.243	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to Abused Domain *.mooo.com
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET MALWARE Snake Keylogger Payload Request (GET)
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe

General Info

778e7627cb60bdbee67442429cb48e64674aea2cbce12683803e9415f4ea7fa6

3768CB1B399BB6C41DCE2FE518A23A03

2E3ED35B9286AFA3CB69D55EE14FD6122ADBCF42

778E7627CB60BDBEE67442429CB48E64674AEA2CBCE12683803E9415F4EA7FA6

12288:S8W4d9EWfLU3oMh7LfydJqqqOpeTJdzAmr2YWM3FLA7XCj9bP0Qb5:Syd9LDyoMh7LfydJqupeTJZAmr2C3FLv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

XRED mutex has been found

Changes the autorun value in the registry

Generic archive extractor

XRED has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Starts itself from another location

There is functionality for communication over UDP network (YARA)

There is functionality for taking screenshot (YARA)

There is functionality for communication dyndns network (YARA)

INFO

Checks supported languages

Manual execution by a user

Reads the computer name

Creates files in the program directory

The sample compiled with turkish language support

Auto-launch of the file from Registry key

Process checks computer location settings

Reads Microsoft Office registry keys

Checks proxy server information

Compiled with Borland Delphi (YARA)

Reads the machine GUID from the registry

Reads the software policy settings

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings