File name:

AdvOR-0.3.1.3.zip

Full analysis: https://app.any.run/tasks/66cbe9b9-4a0d-47b6-9882-c00a41cbb1a5
Verdict: Malicious activity
Analysis date: June 11, 2024, 20:17:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

7D5FD7CA82DA10ACA52491F3FF114894

SHA1:

0BC08B80C8C28526DFA6CC6F0D0C30ECC85600C3

SHA256:

8B87F3221F6C7A4599DA4B98C4C419BD1EBD66A6785D158F9840EEE07388402C

SSDEEP:

98304:XW2Mwn9DQcFhxRPT7XFHbxpykFx9wtzwJi07B3Mus2l2YUp7OXyJQsh7ZnmZXb1Z:/dj5GaeI/MfzVE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3976)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3976)

    • Connects to unusual port

      • AdvOR.exe (PID: 4016)

  • INFO

    • Checks supported languages

      • AdvOR.exe (PID: 4016)
      • wmpnscfg.exe (PID: 4056)

    • Reads the computer name

      • AdvOR.exe (PID: 4016)
      • wmpnscfg.exe (PID: 4056)

    • The dropped object may contain a URL to Tor Browser

      • WinRAR.exe (PID: 3976)

    • Reads the machine GUID from the registry

      • AdvOR.exe (PID: 4016)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3976)

    • Dropped object may contain TOR URL's

      • WinRAR.exe (PID: 3976)

    • Create files in a temporary directory

      • AdvOR.exe (PID: 4016)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: None
ZipModifyDate: 2013:11:30 16:27:08
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: AdvOR/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe advor.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3976"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\AdvOR-0.3.1.3.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4016"C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.36289\AdvOR\AdvOR.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.36289\AdvOR\AdvOR.exe
WinRAR.exe
User:
admin
Company:
Albu Cristian
Integrity Level:
MEDIUM
Description:
Advanced Onion Router
Exit code:
0
Version:
0.3.1.3
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3976.36289\advor\advor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
4056"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
3 809
Read events
3 789
Write events
20
Delete events
0

Modification events

(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\AdvOR-0.3.1.3.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
4
Suspicious files
0
Text files
77
Unknown types
0

Dropped files

PID
Process
Filename
Type
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.36289\AdvOR\Help\Dooble\AdvOR.initext
MD5:356A4D73DB8BC86AEA139A687636C40E
SHA256:498DEF29E93D93D6A5A8FFF21D53337680DA492C038B210508DD10844508712D
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.36289\AdvOR\Help\Img\AdvOR-AdvancedProxy.PNGimage
MD5:051E5FA2DA94A1C631F2E3446286E54E
SHA256:334E4EA9FBFBCD5535B0F5C8E1DC22BEC62F0F050AE8C6F7CAABFB60D594437B
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.36289\AdvOR\AdvOR-English.lngtext
MD5:85771100C99C041AE29B9EC8CDF9D87C
SHA256:C61980AA365E748E2428E68CEF514B109E5413493BFBFB03FFAD1A18661AF877
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.36289\AdvOR\AdvOR.dllexecutable
MD5:AA65C7D2890AF6ABD5BD431ECC16D581
SHA256:035B9976668A1D65F2A7331ECBD14AA85A13AEB113097F6E7D637DD4ECA1155A
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.36289\AdvOR\Help\AdvOR.htmlhtml
MD5:F9DF04ACB7464E1E6CF333BBF0F09908
SHA256:4F74856C84FB9A0B9023A35CFA45A1BF0389237E58A19A9BE2965342D1C3E66D
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.36289\AdvOR\AdvOR.exeexecutable
MD5:0E4AF704E2432D4C20344E3E958762EB
SHA256:7CA68239E30E184C34EF9EAD4CF963B4572A90D4AEEBEFE00263EF4A0D63F24B
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.36289\AdvOR\Changelog.txttext
MD5:B59D3008C7700CBFCBCF200DD890C8E6
SHA256:4C5726E8CC8BF75E98F579DD5B874C1DBC674BDF137148DEBE33C23B11D033D3
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.36289\AdvOR\Help\Authors.txttext
MD5:01610E59B005FDE46E523FBF563CE150
SHA256:8F3E919EE5FA67E00101A4CEED2536ECA9577B189468590FBAAA62A37912DFB1
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.36289\AdvOR\Help\Dooble\patch-dooble.exeexecutable
MD5:640D8BBDE98734AE89DE2BECB2620102
SHA256:AF6CD3441CA575C5AE2AD5695C31B61700620E6C38F0C346EEB3A15E00ED9806
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.36289\AdvOR\Help\Img\AdvOR-BannedAddresses.PNGimage
MD5:5FAF047F9C236552116C7EF30626BC40
SHA256:D625D202CE892D25D18E7B7736BF94B7E5990079B04E1931D67F774D55AC9CBC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
16
DNS requests
0
Threats
8

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
4016
AdvOR.exe
193.23.244.244:443
Chaos Computer Club e.V.
DE
malicious
4016
AdvOR.exe
199.254.238.52:443
RISEUP
US
unknown
4016
AdvOR.exe
128.31.0.39:9101
MIT-GATEWAYS
US
malicious
4016
AdvOR.exe
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
4016
AdvOR.exe
216.218.219.41:443
HURRICANE
US
unknown
4016
AdvOR.exe
204.13.164.118:443
RISEUP
US
malicious
4016
AdvOR.exe
128.31.0.39:9201
MIT-GATEWAYS
US
malicious
4016
AdvOR.exe
66.111.2.131:9001
NYINTERNET
US
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
4016
AdvOR.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 288
4016
AdvOR.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 139
4016
AdvOR.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
4016
AdvOR.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 218
4016
AdvOR.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 360
4016
AdvOR.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 383
4016
AdvOR.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 680
4016
AdvOR.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 379
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AdvOR-0.3.1.3.zip