File name:

地平线上海人工智能技术有限公司需求表.zip

Full analysis: https://app.any.run/tasks/9c124abf-cc56-49ef-b262-865fbc289185
Verdict: Malicious activity
Analysis date: July 25, 2024, 07:26:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

BB792037D2765085D3A79ED287FFDC52

SHA1:

33C1EA24716C3296CCBE056B4E440C55332B122F

SHA256:

C7F98F374F8EC513FC619213A8485DB128F2DDC3BE3538A10E650BF50C78B804

SSDEEP:

24576:IzTRtvC89eAeYzddLnwHuOfA2SAnwfm7VZz:IzTRtq89eAeYzddLnwHuO42SAnwfm7Vx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 5304)
      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)

    • Connects to the CnC server

      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 5304)
      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 5304)
      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)

    • Executable content was dropped or overwritten

      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)

    • Reads the date of Windows installation

      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)

    • Detected use of alternative data streams (AltDS)

      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5304)

    • Checks supported languages

      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)
      • TextInputHost.exe (PID: 3204)

    • Create files in a temporary directory

      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)

    • Reads the computer name

      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)
      • TextInputHost.exe (PID: 3204)

    • Checks proxy server information

      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)

    • Reads Microsoft Office registry keys

      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)

    • Process checks computer location settings

      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)

    • Reads the machine GUID from the registry

      • 地平线上海人工智能技术有限公司需求表.exe (PID: 4044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0008
ZipCompression: Deflated
ZipModifyDate: 2022:06:23 13:23:48
ZipCRC: 0xb719e5d7
ZipCompressedSize: 495422
ZipUncompressedSize: 2038824
ZipFileName: 地平线上海人工智能技术有限公司需求表.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe 地平线上海人工智能技术有限公司需求表.exe winword.exe ai.exe no specs slui.exe no specs textinputhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2380"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$EXa5304.18372\地平线上海人工智能技术有限公司需求表.docx" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
地平线上海人工智能技术有限公司需求表.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3204"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
4044"C:\Users\admin\AppData\Local\Temp\Rar$EXa5304.18372\地平线上海人工智能技术有限公司需求表.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa5304.18372\地平线上海人工智能技术有限公司需求表.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.10407.20032
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa5304.18372\地平线上海人工智能技术有限公司需求表.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4824"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "25E89D05-0623-4104-9BB1-621A59DC4D0F" "5CC10308-F381-4579-8FF1-A7AB3FFF3681" "2380"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Exit code:
0
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\sechost.dll
5304"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\地平线上海人工智能技术有限公司需求表.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6428C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
27 648
Read events
27 220
Write events
393
Delete events
35

Modification events

(PID) Process:(5304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(5304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(5304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(5304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\地平线上海人工智能技术有限公司需求表.zip
(PID) Process:(5304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
3
Suspicious files
120
Text files
50
Unknown types
3

Dropped files

PID
Process
Filename
Type
4044地平线上海人工智能技术有限公司需求表.exeC:\Users\admin\AppData\Local\Temp\tem2E6E.tmpimage
MD5:06B7953273C704915BB52A13C0BED203
SHA256:A316A39852BAA0B8588C6BB8FE525FECEA3C5E74EACC8AA9E63C407DF4FF1891
4044地平线上海人工智能技术有限公司需求表.exeC:\Users\admin\AppData\Local\Temp\eQeLexecutable
MD5:795BDE4BF326C736DB5216F6B554823F
SHA256:36C10A88083CAF4293AF5A5D0E2BC88C7153034D8893A5311C60B765B2425B08
4044地平线上海人工智能技术有限公司需求表.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5304.18372\地平线上海人工智能技术有限公司需求表.docxdocument
MD5:D4CEBC274131AA0829E20BF2DFA7E877
SHA256:575FEDBB831A0EA9B07A2BF87D9F149A12FB17D77D3F0054BB4B1CC1ECAAA3F9
2380WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
2380WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:D210F283114853223A32CC178B3097FF
SHA256:414447F09D425FB811AD672BC352BE3E257940230C1A4C9AE869C327C6F8A95C
2380WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:40396257D34C4D35577FDE26C9CD7E43
SHA256:35E9E09F02DCE4ECAE56A5D33232763E4B13371E68F667D3F010111432C12C6D
2380WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:152F58C984429A7D64A75CE590D863AD
SHA256:6667B4474A21F69E7ED57D81567E0756822C578809D599D190FA934CB3A849E1
2380WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:53958F76DCAF7C9D4AC177D73F5D37EF
SHA256:9A0BB9FE131E3362F48866D6BDDF58196F2B5173E813F35A8AC7A3E06A1ABE03
2380WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbresbinary
MD5:71C7861AEA0810D75187CCE3E31A8E43
SHA256:1D5307CB61A60CF787280966AE57EE3D20746A9E788AC6939D601EBDFB7A317A
2380WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$EXa5304.18372\~$线上海人工智能技术有限公司需求表.docxbinary
MD5:8772BE43F888B5C1D0C79DBEDCD3FDFA
SHA256:694843906931D9F672E8AA85A1809C219C3611B6CBAEFB8DBE3C90C7759BC346
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
98
DNS requests
26
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4044
地平线上海人工智能技术有限公司需求表.exe
GET
200
106.53.189.168:80
http://tool.zaonao.cn/favicon.ico
unknown
unknown
5272
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2380
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
7128
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6560
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2380
WINWORD.EXE
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
whitelisted
2380
WINWORD.EXE
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
whitelisted
2380
WINWORD.EXE
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
unknown
whitelisted
2380
WINWORD.EXE
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6012
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3044
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4016
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.148:443
Akamai International B.V.
GB
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted
4204
svchost.exe
4.209.32.198:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:137
whitelisted
4044
地平线上海人工智能技术有限公司需求表.exe
106.53.189.168:80
tool.zaonao.cn
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
2380
WINWORD.EXE
52.109.32.97:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.181.238
whitelisted
tool.zaonao.cn
  • 106.53.189.168
unknown
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
omex.cdn.office.net
  • 23.48.23.66
  • 23.48.23.6
  • 23.48.23.62
  • 23.48.23.45
  • 23.48.23.18
whitelisted
messaging.lifecycle.office.com
  • 52.111.229.36
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
www.bing.com
  • 104.126.37.144
  • 104.126.37.162
  • 104.126.37.153
  • 104.126.37.160
  • 104.126.37.161
  • 104.126.37.152
  • 104.126.37.139
  • 104.126.37.146
  • 104.126.37.145
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
4044
地平线上海人工智能技术有限公司需求表.exe
Potentially Bad Traffic
ET HUNTING Abnormal User-Agent No space after colon - Likely Hostile
4044
地平线上海人工智能技术有限公司需求表.exe
Misc Attack
ET Threatview.io High Confidence Cobalt Strike C2 IP group 16
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
地平线上海人工智能技术有限公司需求表.zip